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ABSTRACT 


Computing  systems  arc  evolving  into  distributed  systems  that  interconnect  competing 
organizations  and  individuals,  and  even  countries,  using  high-speed  global  networics.  The  rela¬ 
tionships  among  these  entities  are  characterized  by  the  need  for  competition  and  cooperation 
without  a  common  trusted  agent.  To  build  such  distributed  systems  that  incorporate  lack  of 
global  trust  in  them,  it  is  necessary  first  to  understand  precisely  what  trust  consists  of  and  then 
to  categorize  it.  This  thesis  develops  an  axiomatic  theory  of  trust  in  distributed  systems.  The 
theory  is  based  on  modal  logics  of  belief.  We  present  systematic  methods  for  synthesizing  pro¬ 
tocols  that  implement  a  given  trust  specification. 

Trust  is  primarily  required  to  establish  channels  for  secure  communication.  We  present 
methods  for  reasoning  about  trusts  required  by  various  channel  establishment  mechanisms. 
Channel  establishment  mechanisms  are  commonly  based  on  either  public  key  encryption  (PKE) 
or  single  key  encryption  (SKE).  PKE-based  mechanisms  require  ternary  trust  relationships 
known  as  authenticity  trusts.  SKE-based  mechanisms  have  much  larger  trust  requirements. 
Starting  from  the  differences  in  trust  requirements  of  PKE  and  SKE,  we  derive  several  advan¬ 
tages  of  the  former  over  the  latter.  Our  analyses  provide  insight  into  the  trust  structure  and  limi¬ 
tations  of  various  mechanisms. 


We  show  that  a  distributed  system  must  provide  a  tree  of  channels  at  system  configuration 
time,  and  that  this  tree  also  represents  the  system’s  global  name  space.  We  develop 
polynomial-time  algorithms  for  synthesizing  name  spaces  so  as  to  satisfy  an  a  priori  given  set 
of  trust  specifications.  We  present  some  interesting  duality  results  and  NP-completeness  results 
with  regard  to  some  variations  of  the  synthesis  problems.  Sample  runs  ol  the  polynomial-time 
algorithms  show  that  small  differences  in  trust  relationships  can  cause  substantial  differences  in 
the  structure  of  the  name  spaces. 


Trust  requirements  and  the  performance  of  channel  establishment  can  be  traded  for  each 
other.  If  channels  are  PKE-based,  slightly  increasing  the  trust  requirements  can  greatly  increase 
the  performance  of  channel  establishment  However,  if  channel  composition  is  SKE-based,  glo¬ 
bal  trusts,  which  may  not  be  satisfied  in  the  system’s  name  space,  are  required  for  significant 
improvements  in  performance. 
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Invocation 


The  inspiration  for  my  pursuit  of  doctoral  research  comes  from  the  challenge  of  discover¬ 
ing  an  answer  to  the  following  question  posed  in  the  ancient  Indian  philosophical  texts  of  the 
Mundaka  Upanyshadh  and  the  Bhagavadh  Geetha. 


Shaunako  hy  vai  mahashatho  angyrasam  vydhyvad  updsannah  prapaccha: 
“Kasmynnu  bhagavo  vygndthe,  sarvamydam  vygnatham  bhavathythy  ?” 


In  ancient  times,  Shaunaka  approached  Angyras  and  asked: 

“What  is  That,  by  knowing  Which,  everything  else  becomes  known  ?” 
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CHAPTER  1 


INTRODUCTION 


1.1.  Motivation 

A  moment’s  reflection  is  sufficient  to  realize  that  computing  systems  are  evolving  into 
very  large  distributed  systems  that  interconnect  competing  organizations  and  individuals,  and 
even  countries,  using  global  networks  (see  Figure  1.1).  The  relationships  among  these  entities 
are  characterized  by  the  need  for  competition  and  cooperation,  and  by  inherent  conflicts  of 
interests.  There  are  few  policies  that  are  agreeable  to  all  of  the  entities,  and,  even  in  the  case  of 
policies  on  which  all  the  entities  agree,  there  are  no  globally  acceptable  administrative  authori¬ 
ties  to  enforce  the  policies.  Consequently,  a  very  large  distributed  system  (VLDS)  spanning  all 
these  entities  will  be  characterized  by  the  absence  of  globally  trusted  agents.  The  interconnect¬ 
ing  networks,  owing  to  their  ultra-high  bandwidths  [S1P86],  will  be  capable  of  supporting 
secure  and  integrated,  but  extremely  fast  access  to  non-local  resources.  A  scenario  in  which 
workstations  and  high-speed  fibers  replace  telephones  and  telephone  wires,  and  a  VLDS  inter¬ 
connecting  these  workstations  replaces  the  functions  of  most  media  (telephone,  physical  mail, 
printed  media,  audio  and  video  media)  is  not  far  from  the  real  possibilities  of  the  medium-term 
future.  The  use  of  a  VLDS  for  carrying  out  commercial  operations  such  as  bank  transactions, 
monetary  transactions,  and  airline  flight  reservations  is  being  seriously  explored.  Consequently, 
the  issues  of  security  and  trust  become  critical  in  a  VLDS.  A  VLDS  must  maintain  the  security 
and  autonomy  of  its  components  without  restricting  the  sharing  of  resources  and  without  requir¬ 
ing  its  components  to  place  global  trust  in  any  entity. 
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To  build  such  distributed  systems  that  allow  partial  trust,  it  is  necessary  first  to  understand 
precisely  what  trust  consists  of,  and  then  to  characterize  it.  In  literature,  the  term  “trust”  is 
used  frequently  but  rarely  defined  [CGH81.EKW74,  Sal74,  Wei69]  [Dif82,KlP79,Lan81].  The 
kind  of  trust  that  underlies  expressions  such  as  “Alice  trusts  Bob”  has  never  been  adequately 
characterized.  Unless  we  make  an  effort  to  investigate  trust  and  security,  their  inadequate 
understanding  will  be  a  major  obstacle  to  the  commercial  realization  of  very  large  distributed 
systems. 

12.  Trust  Relationships,  Naming  and  Secure  Communication  in  Distributed  Systems 

To  see  how  trust  is  needed  in  a  distributed  system,  consider  the  case  of  secure  communi¬ 
cation  between  two  users,  Alice  and  Ibaraki .  Alice  (actually,  a  process  belonging  to  Alice)  on 
a  host  Ha  needs  to  communicate  securely  with  Ibaraki  on  another  host  HB  (see  Figure  1.2(a)). 

In  distributed  systems,  secure  communication  between  two  agents  is  based  on  the  notion 
of  a  logical  secure  channel  (or  just  a  channel)  between  the  two  agents.  A  secure  channel  has 
associated  with  it  algorithms  for  securely  sending  and  receiving  messages  on  it.  To  communi¬ 
cate  securely,  Alice  must  establish  a  secure  channel  to  Ibaraki.  Secure  channels  are  based  on 
encryption,  and  hence,  to  establish  a  secure  channel  to  Ibaraki,  Alice  must  obtain  the  encryption 
key  of  Ibaraki  [Den82,FNS75].  In  a  large  distributed  system,  the  database  of  encryption  keys 
cannot  be  replicated  at  each  host,  and  hence  encryption  keys  are  stored  and  managed  by  authen¬ 
tication  servers  [Lu86,NeS78,Ter],  Thus  Alice  must  obtain  Ibaraki’s  encryption  key  from  an 
authentication  server  (Figure  1.2(b)).  Since  the  security  of  communication  between  Alice  and 
Ibaraki  depends  on  the  validity  of  the  encryption  key  that  Alice  obtains  from  the  authentication 
server,  informally  we  can  say  that  Alice  is  placing  trust  in  the  authentication  server  with  respect 
to  Ibaraki. 

Figure  1.2(c)  shows  a  more  general  scenario  in  which  the  nodes  labeled  IBM ,  IBM-J , 
USA,  SONY -US,  JAPAN  and  SONY  are  authenticaton  servers  managed  by  the  respective 
organizations.  In  the  sequel,  we  will  use  the  term  agent  to  abstractly  denote  either  a  user  or  an 
authentication  server.  We  can  draw  some  generalizations  regarding  secure  channel  establish¬ 
ment  between  agents,  such  as  that  between  Alice  and  Ibaraki.  In  any  system,  given  a  set  of 
existing  secure  channels  (denoted  by  solid  lines  in  Figure  1.2(c)),  the  only  way  to  establish  a 
new  secure  channel  is  by  composing  adjacent  secure  channels.  Intuitively,  considering  the 
example  shown  in  Figure  1.2(c),  to  establish  a  new  channel  to  Ibaraki,  Alice  must  receive 
Ibaraki’s  encryption  key  on  one  of  Alice’s  existing  channels,  which  in  this  case  is  Alice’s  chan¬ 
nel  to  IBM .  If  we  go  back  a  step  in  the  itinerary  of  Ibaraki’s  key,  Ibaraki’s  key  must  have 
arrived  at  IBM  on  one  of  the  channels  incident  on  IBM ,  and  so  on.  Thus  for  Alice  to  establish  a 
channel  to  Ibaraki,  a  sequence  of  adjacent  channels  must  exist  forming  a  path  between  Alice 
and  Ibaraki.  In  fact,  we  will  formally  show  in  Chapter  3  that  any  secure  channel  establishment 
consists  of  a  sequence  of  channel  compositions,  with  each  composition  involving  two  adjacent 
channels. 

There  are  two  distinct  problems  in  channel  composition:  (1)  which  are  the  channels  to  be 
composed,  and  (2)  in  what  order  should  these  channels  be  composed.  These  two  aspects  of 
channel  composition  give  rise  to  different  trust  requirements  in  a  distributed  system.  These 
aspects  are  related  to  naming  because  of  a  reciprocal  association  between  naming  and  channel 
establishment:  (1)  resolving  a  name  (i.e.,  translating  human-readable  names  of  agents  to  attri¬ 
butes  such  as  their  location)  requires  the  establishment  of  channels  to  name  servers,  and  (2) 
channel  establishment  requires  translating  names  of  agents  to  their  encryption  keys,  for  which  a 
name  resolution  procedure  must  be  used.  Thus,  even  though  naming  and  channel  establishment 
can  be  realized  separately,  combining  them  into  a  single  mechanism  can  result  in  higher 
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Figure  1.2:  Problem  of  trust  in  a  VLDS.  (a)  Logical  secure  channel,  (b)  Adjacent  channel 
composition,  (c)  Channel  establishment  as  a  sequence  of  adjacent  channel  compositions. 


performance.  In  the  sequel,  we  will  use  the  term  name  server  synonymously  with  the  term 
authentication  server. 

It  should  be  noted  that  the  problems  of  trust  in  a  distributed  system  are  interesting  in  their 
own  right,  irrespective  of  whether  the  distributed  system  is  large  or  not  However,  efforts  to 
solve  those  problems  are  justified  by  their  crucial  importance  to  very  large  distributed  systems. 
Small  distributed  systems,  such  as  those  that  do  not  span  more  than  one  organization,  do  not 
have  significant  trust  problems.  In  distributed  systems  that  span  more  than  one  organization  but 
with  a  small  number  of  organizations,  trust  problems  are  sufficiently  simple  that  they  can  be 
solved  using  informal  methods.  Only  when  a  distributed  system  spans  a  large  number  of  auto¬ 
nomous  organizations  does  the  need  for  systematically  characterizing  the  trust  relationships  in 
the  system  arise.  In  fact,  only  in  large  distributed  systems  is  there  a  need  for  storing  encryption 
keys  at  name  servers.  In  small  distributed  systems,  the  database  containing  the  encryption  keys 
of  all  agents  can  be  replicated  at  each  host,  and  the  problem  of  trust  in  secure  communication 
disappears. 

1_3.  Relation  to  Previous  Work 

Most  existing  and  proposed  distributed  systems  make  trust-related  assumptions,  though 
often  implicitly.  A  sample  of  these  assumptions  is  as  follows: 

•  All  system-level  components  trust  one  another.  Hosts  trust  each  other,  and  agents  trust  all 
name  servers  [Che84,MuT84,STB86],  Systems  such  as  Amoeba  [MuT84]  further 
assume  that  both  the  network  and  the  network  interfaces  are  secure. 
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•  Hosts  may  not  trust  each  other,  but  name  servers  are  globally  trusted  [BLN82,  SJR86]. 

Clearly  these  trust-related  assumptions  are  incompatible  with  one  or  more  of  the  characteristics 
of  very  large  distributed  systems  we  projected  in  Section  1.  Many  of  the  trust-related  assump¬ 
tions  made  in  current  systems  are  based  on  the  supposition  that  each  distributed  system  has  a 
logically  centralized  administrative  authority  that  can  enforce  policies  and  punish  violators. 
The  absence  of  such  a  single  administrative  authority  in  a  VLDS  has  significant  trust-related 
consequences.  The  agents  in  a  VLDS  have  to  cope  with  the  inherent  existence  of  lack  of  trust 
and  the  associated  possibilities  for  losses.  A  recent  case  involving  a  foreign  company  over 
which  the  United  States  was  unable  to  enforce  its  laws  is  an  appropriate  example.  Thus,  a 
VLDS  must  not  only  allow  lack  of  global  trust  but  also  incorporate  explicit  patterns  of  lack  of 
trust. 

The  Arpanet  [81a,  81b]  is  similar  to  a  VLDS  in  that  it  spans  a  large  number  of  organiza¬ 
tions  and  individuals,  and  has  a  global  name  server  [TPR84].  However,  the  Arpanet  does  not 
have  global  authentication  mechanisms,  and  hence  it  does  not  provide  secure  integrated  access 
to  non-local  resources.  An  agent  must  have  independent  accounts  and  passwords  on  each  host 
that  it  uses.  The  total  lack  of  integration  of  services  in  the  Arpanet  prevents  it  from  being  a  true 
VLDS. 

Birrell  et  al.  [BLN86]  consider  naming  and  authentication  in  large  distributed  systems 
without  global  trust.  They  suggest  that  an  agent  must  be  able  to  specify  the  sequence  of  name 
servers  to  be  trusted  for  establishing  a  channel.  However,  they  neither  give  a  precise  meaning 
to  the  notion  of  trust  nor  provide  a  precise  analysis  of  the  trust  properties  of  various  secure 
channel  establishment  mechanisms.  We  give  a  precise  notion  of  trust  in  Chapter  2,  in  Chapter  3 
we  analyze  the  trust  properties  of  the  various  channel  establishment  mechanisms,  and  in 
Chapter  5  we  investigate  trust  properties  of  various  network  protocols  for  channel  establish¬ 
ment  These  analyses  reveal  surprising  differences  among,  and  limitations  of,  the  various 
mechanisms  and  protocols  with  regard  to  their  trust  properties.  For  instance,  we  show  that,  if 
secure  channels  are  based  on  single  key  encryption  (rather  than  public  key  encryption),  han¬ 
dling  channel  establishment  at  the  host-to-host  level  of  the  network  protocol  hierarchy  requires 
global  trust. 

Birrell  et  al.  [BLN86]  also  suggest  that,  in  order  to  choose  the  name  servers  trusted  in 
establishing  a  new  channel,  the  channels  to  be  composed  must  be  chosen  appropriately,  and  the 
burden  of  choosing  these  channels  is  left  to  the  users.  In  Chapter  4,  we  will  develop  algorithms 
for  synthesizing  name  servers  so  as  to  satisfy  an  a  priori  given  set  of  trust  specifications  of 
agents.  Thus,  the  user  is  no  longer  burdened  with  choosing  channels  based  on  whom  he  or  she 
trusts;  the  design  of  the  name  server  automatically  takes  care  of  the  user’s  trust  relationships. 

Popek  and  Kline  [K1P79,  PoK79]  compare  trust  properties  in  secure  communication  using 
single  key  encryption  and  public  key  encryption,  and  conclude  that  the  two  have  the  same  trust 
properties.  In  Chapter  3,  we  will  show  that  this  conclusion,  which  they  arrived  at  using  an 
informal  notion  of  trust,  is  incorrect. 

1.4.  Outline  of  the  Thesis 

The  goal  of  this  thesis  is  to  develop  techniques  by  which  distributed  systems  can  be  syn¬ 
thesized  so  as  to  satisfy  a  given  set  of  trust  specifications.  Such  a  synthesis  will  have  to  employ 
some  basic  channel  composition  mechanisms.  Before  we  can  employ  a  channel  composition 
mechanism  in  a  synthesis,  we  must  know  the  trust  relationships  inherent  in  (and  hence  required 
by)  the  mechanism.  Thus,  we  must  analyze  the  various  channel  composition  mechanisms  and 
investigate  the  trust  relationships  they  require.  But  before  we  can  analyze  a  mechanism  from 


5 


the  viewpoint  of  the  trust  relationships  it  requires,  we  must  precisely  define  what  we  mean  by 
trust.  Thus,  the  dissertation  will  consist  of  the  following  sequence  of  steps. 

Theory  of  Trust:  To  capture  and  incorporate  lack  of  trust  into  a  distributed  system,  it  is  neces¬ 
sary  first  to  understand  precisely  what  trust  consists  of,  and  then  to  characterize  it.  Basic  foun¬ 
dations  are  necessary  to  clarity  our  understanding  and  to  reason  adequately  about  lack  of  trust  in 
distributed  systems.  A  clear  definition  of  trust  in  a  distributed  system  can  reveal  subtle  distinc¬ 
tions  that  may  not  be  otherwise  apparent.  Formal  descriptions  of  security  have  traditionally 
avoided  any  explicit  treatment  of  trust.  It  is  desirable  to  unify  security  and  trust  into  a  single 
theory.  To  satisfy  all  these  requirements,  we  develop  an  axiomatic  theory  of  trust  in  Chapter  2. 

Analysis:  Formal  analysis  of  trust  can  offer  insights  into  the  basic  structure  and  the  limitations 
of  mechanisms  with  regard  to  their  trust  requirements.  Zero-trust  mechanisms  may  be  possible. 
Chapter  3  analyzes  trust  relationships  in  various  channel  composition  mechanisms.  We  develop 
methods  for  reasoning  about  trust  requirements  in  various  mechanisms,  and  discuss  methods  for 
arriving  at  the  minimal  trust  requirements  in  a  given  distributed  system.  While  doing  so,  we 
will  encounter  some  surprising  differences  among  various  mechanisms  with  regard  to  their  trust 
requirements. 

Synthesis:  The  eventual  goal  of  the  thesis  is  to  provide  algorithms  for  synthesizing  distributed 
systems  so  as  to  satisfy  a  priori  trust  specifications  of  agents.  As  was  shown  in  Section  2,  trust 
requirements  arise  in  naming.  Chapter  4  develops  algorithms  for  synthesizing  name  servers 
from  trust  specifications.  A  sample  set  of  trust  specifications  may  be  as  follows:  "Alice  never 
sends  false  information  to  Bob  about  Fred,  and  Bob  never  sends  false  information  to  Riccardo 
about  Alice.  Fred  and  Riccardo  cannot  be  trusted  to  secretly  store  information  about  Bob  or 
Alice.  Fred  cannot  be  trusted  for  any  information  about  any  agent  that  Alice  or  Bob  trust  for 
information  about  Riccardo."  Or  it  may  involve  organizations  as  in,  "IBM  trusts  DEC  for  Hita¬ 
chi  but  not  for  AT&T". 

No  synthesis  methodology  is  complete  without  performance  considerations.  Under  some 
conditions,  trust  requirements  and  performance  of  channel  establishment  mechanisms  can  be 
traded  for  each  other.  Chapter  5  shows  that,  if  channel  composition  is  based  on  public  key 
encryption,  slightly  increasing  the  number  of  trust  relationships  that  are  satisfied  can  greatly 
increase  the  performance  of  channel  establishment  mechanisms,  and  that  the  additional  trust 
relationships  still  form  a  subset  of  the  set  of  trust  specifications  from  which  the  distributed  sys¬ 
tem  name  space  has  been  synthesized.  We  also  show  that,  if  channel  composition  is  based  on 
single  key  encryption,  global  trust,  which  may  not  be  satisfied  in  the  system  name  space,  is 
required  for  significant  improvements  in  performance. 

Clearly  the  goals  of  the  thesis  are  pragmatic,  but  the  approach  is  partly  formal.  This  work 
was  carried  out  as  part  of  the  DASH  project  at  Berkeley  [AFV87c],  which  is  investigating 
issues  in  the  design  and  implementation  of  very  large  distributed  systems. 


CHAPTER  2 


AXIOMATIZATION  OF  TRUST 


This  chapter  develops  an  axiomatic  theory  of  trust  in  distributed  systems.  The  chapter 
discusses  what  it  means  to  develop  a  logic  or  a  theory,  and  shows  that  modal  logics  of  belief 
with  their  semantic  inteipretation  based  on  the  possible  worlds  semantics  of  Kripke,  are 
appropriate  as  a  starting  point  for  a  theory  of  trust.  We  review  a  modal  logic  of  belief  that  is  an 
enhancement  of  propositional  logic  with  a  belief  operator,  and  construct  a  model  of  a  distri¬ 
buted  system  so  that  the  logic  is  sound  and  complete  with  respect  to  the  model.  Any  sentences 
in  the  logic  may  then  be  added  to  the  logic  as  axioms,  and  these  axiomatic  sentences  are  con¬ 
sidered  as  trust  specifications.  The  logic  and  the  trust  specifications,  together  with  the  model, 
constitute  a  formal  theory  of  trust  for  the  target  distributed  system.  However,  a  theory  of  trust 
is  of  practical  significance  only  if  abstract  trust  specifications  can  be  implemented  in  a  real  dis¬ 
tributed  system.  We  present  formal  techniques  for  synthesizing  protocols  that  are  necessary  and 
sufficient  for  implementing  a  given  trust  specification  in  a  distributed  system. 

2.1.  Introduction 

To  build  distributed  systems  that  capture  and  account  for  lack  of  global  trust,  it  is  first 
necessary  to  understand  precisely  what  trust  consists  of,  and  then  to  characterize  it.  Basic  foun¬ 
dations  are  needed  to  clarify  our  understanding  and  to  reason  adequately  about  lack  of  trust  in 
distributed  systems.  This  chapter  develops  an  axiomatic  theory  of  trust  for  such  systems.  In 
Section  2.2,  we  discuss  basic  notions  of  what  it  means  to  develop  a  logic  or  a  theory,  and  show 
that  modal  logics  of  belief  are  appropriate  as  bases  for  a  theory  of  trust  Section  2.3  reviews 
modal  logics  of  belief,  and  Section  2.4  presents  a  distributed  system  model.  Section  2.5 
presents  a  modal  logic  of  belief  that  is  sound  and  complete  with  respect  to  this  model.  In  Sec¬ 
tion  2.6,  we  develop  a  formal  theory  of  trust,  and,  in  Section  2.7,  we  present  methods  for  syn¬ 
thesizing  protocols  that  implement  a  given  abstract  trust  specification.  Finally,  Section  2.8  con¬ 
cludes  the  chapter. 

2.2.  An  Approach  to  Axiomatization 
2.2.1.  Theories 

Our  first  step,  as  we  saw,  is  to  capture  the  highly  informal  notion  of  trust  into  a  formal 
theory.  The  term  theory  is  used  here  in  the  sense  of  Mendelson  [Men87].  A  theory  is  based  on 
a  logic .  Briefly,  a  logic  consists  of  a  language ,  which  defines  the  set  of  well  formed  formulas 
(WFFs)  or  valid  sentences,  a  set  of  axioms ,  and  a  set  of  rules  of  inference .  An  axiom  is  a 
WFF  and  a  rule  of  inference  is  a  transformation  from  one  WFF  to  another.  (We  will  shortly 
define  the  roles  played  by  axioms  and  rules  of  inference  in  a  logic.)  The  logic  provides  a  frame¬ 
work  for  reasoning  and  abstracts  some  fundamental  notions.  A  theory  consists  of  a  logic 
enhanced  with  a  set  of  assumptions  that  are  particular  to  the  real-world  problem  being  modeled 
by  the  theory.  These  assumptions  are  called  proper  axioms .  To  develop  a  theory  of  trust,  we 
must  first  start  with  a  logic  on  which  to  base  the  theory. 

A  proof  starts  out  from  the  axioms  and  the  proper  axioms,  and  repeatedly  uses  rules  of 
inference  to  arrive  at  a  WFF.  A  WFF  that  is  the  result  of  a  proof  is  called  a  theorem .  The 
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theory  is  said  to  be  consistent  if  for  no  WFF  are  both  the  WFF  and  its  negation  theorems  in  the 
logic. 

Each  logic  (theory)  has  a  set  of  models  which  provide  the  semantic  interpretation  for  the 
logic  (theory).  The  semantic  interpretation  is  outside  the  logic  and  corresponds  to  the  real- 
world  situation  being  modeled  by  the  logic  (theory).  Assuming  two-valued  logics,  a  semantic 
interpretation  of  a  WFF  under  any  assignment  to  variables  in  the  WFF  yields  one  of  the  two 
values:  true  or  false.  A  WFF  whose  semantic  interpretation  is  true  in  a  model  under  any  assign¬ 
ment  to  the  variables  in  the  WFF  is  said  to  be  valid  in  the  model.  A  WFF  whose  semantic 
interpretation  is  true  in  a  model  under  at  least  one  assignment  to  the  variables  is  said  to  be 
satisfiable  in  the  model. 

A  logic  (theory)  is  said  to  be  sound  with  respect  to  a  model  if  and  only  if  the  theorems  in 
the  logic  (theory)  are  valid  in  the  model.  A  logic  can  also  be  shown  to  be  sound  with  respect  to 
a  model  if  and  only  if  the  axioms  of  the  logic  are  valid  in  the  model  and  the  rules  of  inference 
are  validity  preserving.  It  can  be  shown  that  a  theory  is  sound  with  respect  to  a  model  if  and 
only  if  the  logic  on  which  the  theory  is  based  is  sound  with  respect  to  the  model  and  the  proper 
axioms  of  the  theory  are  valid  in  the  model.  Thus,  the  set  of  models  with  respect  to  which  a 
theory  is  sound  is  a  subset  of  the  set  of  models  with  respect  to  which  the  logic  the  theory  is 
based  on  is  sound.  A  logic  (theory)  is  said  to  be  complete  with  respect  to  a  model  if  and  only  if 
all  WFF  that  are  valid  in  the  model  are  theorems  in  the  logic  (theory). 

To  develop  a  formal  theory  of  trust,  we  must  first  start  with  a  logic  on  which  to  base  the 
theory. 

222.  A  Logic  for  Trust 

What  kind  of  a  logic  is  suitable  for  modeling  trusts  in  distributed  systems  ?  To  answer 
this  question,  consider  the  simplest  case  of  secure  communication. 

To  communicate  securely,  agents  encrypt  messages  using  keys  belonging  to  other  agents. 
We  may  say  that  each  agent  must  make  assertions  of  propositions  of  the  form 
owner  (key  of  the  other  agent,  the  other  agent),  where  the  semantic  interpretation  of 
owner  (key ,  agent)  is  that  it  returns  true  if  and  only  if  key  belongs  to  agent.  Thus,  it  seems 
appropriate  to  consider  propositions  of  this  type  as  forming  the  atomic  propositions  of  a  logic  of 
trust.  (An  atomic  proposition  is  a  proposition  representing  a  basic  notion  in  the  model  at  a 
given  level  of  abstraction.) 

In  a  system  in  which  the  complete  database  of  keys  is  securely  replicated  at  every  agent 
using  mechanisms  external  to  the  system  (such  as  telephone  conversations  between  agents,  or 
couriers),  two  agents  can  communicate  securely  without  placing  trust  in  a  third  agent.  In  a  dis¬ 
tributed  system  with  distributed  name  servers,  an  agent  has  to  obtain  the  keys  of  other  agents 
from  name  servers. 

Figure  2. 1  represents  a  distributed  system  in  which  there  are  agents  A,- ,  Ay  and  Ak ,  and 
where  Aj  is  a  name  server.  There  are  two  channels  in  the  initial  state,  A,-Ay,  and  A j  -Ak .  Ak 
sends  a  message  msgkj  containing  its  key  keyk  to  Ay .  When  A,  sends  a  request  to  Ay  asking  for 
Ak ’s  key,  Ay  sends  a  message  msgji  to  A,-  containing  keyk.  If  the  proposition  owner  (key  k,  A  k) 
cannot  be  proved  false  (i.e.,  if  it  is  satisfiable  and  hence  possible )  at  A,- ,  A,  may  now  consider 
accepting  keyk .  However,  A,  is  not  prepared  to  use  keyk  for  secure  communication  to  Ak  unless 
it  is  able  to  prove  that  owner  (keyk ,  A k). 

Suppose,  to  start  with,  that  we  make  no  assumptions  whatsoever  about  security  or  about 
the  validity  of  the  messages  sent  by  one  agent  to  another,  and  that  the  belief  in  a  proposition  is 
used  to  represent  an  attitude  by  which  the  believer  may  not  be  able  to  prove  the  proposition 
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msg  :  owner(key  ,  A  ) 
kj  k  k 

msg  :  B  owner  (key  ,  A  ) 

ji  k  k  k 


Figure  2.1:  Messages  and  beliefs  in  secure  communication.  Secure  communication  chan¬ 
nel  Ai  -Ak  is  to  be  established  using  name  server  Aj . 


valid  but  thinks  the  proposition  might  be  valid.  Thus,  the  belief  of  an  agent  corresponds  to  the 
notion  of  having  in  the  agent’s  database  a  proposition  that  is  satisfiable  so  that,  even  though 
there  may  be  a  measure  of  uncertainty  about  the  validity  of  the  proposition,  the  agent  has  strong 
reasons  to  conjecture  that  the  proposition  might  be  valid  in  the  real  world.  Specifically,  let  the 
belief  in  a  proposition  p ,  denoted  by  B.p ,  indicate  a  relationship  between  an  agent  Al  and  a 
proposition  p  such  that  (a)  A,  may  not  be  able  to  assert  the  truth  of  p ,  (b)  At  cannot  prove  p  ’s 
falsity,  and  (c)  At  expects  and  desires  p  to  be  true.  Thus,  there  may  be  a  measure  of  uncertainty 
about  p ’s  validity,  but  there  is  a  high  likelihood  that  p  might  be  valid. 

Using  this  notion  of  belief,  we  might  say  that  the  message  from  Ak  to  Aj  creates  a  belief 
BjOvmtx(keyk,  Ak).  The  message  from  Aj  to  A,-  creates  a  belief  BiBjO'tmex{keyk,  Ak).  Thus, 
Aj  believes  that  Aj  believes  owner  {key k,Ak).  This  can  be  extended  to  a  scenario  in  which  the 
key  successively  passes  through  several  name  servers  during  name  resolution. 

However,  At  is  not  prepared  to  use  keyk  for  secure  communication  to  Ak  unless  it  is  able 
to  prove  that  owner  (key  k,  A k)  is  valid.  To  infer  owner  {key  k,  A  k)  from  its  belief.  A:  has  to  use 
some  assumptions  such  as  that  Ak  does  not  usually  send  a  false  key,  the  key-parts  of  messages 
msgkj  and  msgJt  are  identical,  and  so  on.  Such  assumptions  are  encapsulated  into  the  notion  of 
trust,  and  are  precisely  abstracted  by  proper  axioms.  In  this  example,  one  possible  proper 
axiom  may  be  "B^ownefrtey*,  Ak)  =>  owner^*,  Ak)'\  While  a  belief  is  an  operator,  a 
trust  is  a  proper  axiom,  i.e.,  a  WFF  that  is  assumed  to  be  true  in  the  system.  Thus  for  instance,  a 
belief  such  as  Btp  denotes  that  A,-  believes  that  proposition  p  is  true,  while  a  WFF  such  as  B,p 
=>  p  is  a  trust  denoting  the  assumption  that,  Ai  believes  in  p  only  when  p  is  true.  Agents  use 
trusts  to  make  inferences  about  the  validity  of  their  beliefs. 

It  is  easy  to  see  that  reasoning  about  trusts  involves  reasoning  about  the  notion  of  belief, 
and  that  a  theory  of  trust  may  be  based  on  a  logic  of  belief.  After  all,  one  of  the  most  desirable 
properties  of  a  formal  theory  is  its  ability  to  capture  what  people  intend  to  say,  and  we  have 
arrived  at  the  suitability  of  a  logic  of  beliefs  in  the  course  of  making  natural  statements  about 
secure  communication.  At  this  point  it  is  useful  to  pause,  and  review  the  kinds  of  logics  avail¬ 
able  to  us  for  reasoning  about  beliefs  in  general. 
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2 23.  Logics  of  Belief 

Belief  represents  an  attitude  of  an  agent  towards  a  proposition.  A  logic  for  expressing 
propositional  attitudes  must  be  able  to  express  the  appropriate  relations  between  believers  and 
attitudes  [Hin62].  Classical  first  order  logic  does  not  handle  these  attitudes  properly 
[FaH85,HaM85].  Modal  logics  [HuC68],  which  enhance  propositional  and  first-order  predi¬ 
cate  logics  with  modal  operators  such  as  belief,  have  been  found  suitable  for  modeling  belief.1 

23.  Modal  Logic  of  Belief:  A  Review 

2.3.1.  Syntax 

In  the  language  of  the  modal  logic  of  belief,  agents  are  named  A  u  ...  ,Am,  and  the  atomic 
propositions  are  denoted  by  p,  q, . . .  Let  “A”,  “V”  and  denote  conjunction,  disjunction 
and  complementation,  respectively.  For  i  =  1, ....  m ,  let  Bt  be  an  operator,  read  as  “agent  A, 
believes”.  The  set  of  WFFs  is  the  smallest  set  that  contains  atomic  propositions,  is  closed 
under  boolean  connectives,  and  contains  B,F  (i  =  1,  ....  m)  if  it  contains  F .  Since  quantified 
modal  logics  are  not  well  understood,  we  restrict  ourselves  to  using  the  propositional  modal 
logic  for  belief.  However,  when  a  variable  x  varies  over  a  finite  set  X  =  {xj,  ....  xn  },  “Vx 
F(x)”  is  used  as  a  short-hand  notation  for  F(x i)A  •  •  •  A F(xn).  Thus,  if  F  is  a  WFF,  and  x 
varies  over  a  finite  set,  Vx  F  (x)  is  a  WFF. 

2 32.  Semantics 

Unlike  classical  logic  operators,  modal  operators  such  as  belief  do  not  allow  a  truth- 
functional  semantic  interpretation.  (An  operator  is  truth-functional  if  and  only  if,  given  any 
WFF  that  is  a  result  of  applying  the  operator  to  some  arguments,  the  truth  value  of  the  WFF  can 
be  deduced  solely  from  the  truth  values  of  the  arguments.  Belief  is  not  a  truth-functional  opera¬ 
tor  because,  belief  in  a  proposition  may  be  true  or  false  irrespective  of  the  truth  value  of  the  pro¬ 
position.)  Thus,  modal  logics  use  a  possible  -worlds  semantics  [HaM85,  Kri63]  in  which  the 
notions  of  possibility  and  necessity  are  used,  and  the  notion  of  a  possible  world  is  used  in  the 
semantic  interpretation.  2  A  set  of  possible  worlds  is  postulated,  and  a  belief  is  true  if  it  is  true 
in  a  set  of  possible  worlds.  The  real  world  may  be  one  of  the  possible  worlds. 

An  agent’s  belief  arises  primarily  because  of  the  agent’s  ignorance  about  the  global  state 
of  the  distributed  system.  An  agent’s  state  of  belief  relates  to  the  level  to  which  the  agent  can 
determine  the  system’s  global  state  based  on  its  local  state.  In  each  global  state  of  the  system, 
one  can  associate  with  each  agent  a  set  of  possible  global  states  that  are  determined  as  follows: 
if  the  agent’s  beliefs  are  true,  any  of  them  could  possibly  be  the  real  global  state.  In  other 
words,  based  on  its  local  state,  an  agent  cannot  determine  the  real  global  state  that  it  is  in;  it  can 
only  conclude  that  some  global  states  are  possible.  An  agent  believes  p ,  denoted  by  Btp ,  if  and 
only  if  p  is  true  in  all  the  global  states  that  the  agent  considers  possible.  An  agent  does  not 
believe  p  if  and  only  if,  in  at  least  one  of  the  global  states  that  the  agent  considers  possible,  p  is 
not  true.  Since  this  semantic  interpretation  of  belief  uses  the  notion  of  possible  global  states,  it 
is  called  the  possible  worlds  semantics  [Kri63]. 


1  As  we  will  see  later,  modal  logics  use  the  notions  of  possibility  and  necessity.  In  medieval  logic,  possibility, 
necessity,  and  so  on,  were  thought  of  as  modes  in  which  a  proposition  could  be  true  or  false. 

2  Halpem  and  Moses  wrote  an  excellent  paper  on  modal  logics  of  belief  and  knowledge  [HaM85].  The  review 
of  modal  logics  presented  in  Section  2.3  of  this  chapter  is  based  heavily  on  this  paper. 
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In  a  future  section  we  show  that  the  addition  of  any  proper  axiom  to  a  logic  (giving  rise  to 
a  theory)  requires  the  construction  of  a  new  set  of  models  from  the  old  set  of  models  for  which 
the  logic  was  sound  and  complete.  This  is  to  ensure  that  the  theory  is  sound  and  complete  for 
the  new  set  of  models.  If  this  cannot  be  ensured,  then  the  theory  may  be  ill  suited  for  the  new 
set  of  models  of  the  system,  i.e.,  some  statements  that  are  provable  as  being  true  in  the  theory 
may  be  actually  false  in  the  system,  and  some  that  are  true  in  the  system  may  be  provable  as 
being  false  in  the  theory.  Thus,  it  is  necessary  to  ensure  that  the  theory  is  sound  and  complete 
for  the  new  set  of  models.  In  the  modal  logic  approach,  by  making  minor  changes  to  the  possi¬ 
ble  worlds  semantics,  we  can  capture  different  problem  situations.  By  imposing  various  con¬ 
straints  on  what  global  states  are  considered  possible  by  an  agent  in  a  given  real  global  state, 
one  can  capture  a  number  of  interesting  notions  of  belief.  For  example,  if  the  relation  between 
the  global  state  and  the  set  of  possible  global  states  is  restricted  to  be  transitive,  then  an  agent 
believes  that  it  believes  p ,  if  it  believes  p .  Since  it  lends  itself  to  easy  translation  between  a 
proper  axiom  of  a  theory  and  its  semantic  interpretation  in  the  model,  the  possible  worlds 
approach  is  a  powerful  tool  for  developing  theories.  Thus,  we  say  that  this  approach  is  custom¬ 
izable  ,  i.e.,  with  little  effort  a  theory  can  be  derived  from  a  logic  for  a  given  security  environ¬ 
ment  We  have  chosen  this  approach  for  our  theory  of  trust 

233.  The  Kripke  Structure:  A  Formal  Semantic  Interpretation  of  Belief 

Kripke  [Kri63]  introduced  what  is  known  as  a  Kripke  structure  as  a  formal  model  for 
possible  worlds  semantics.  Let  S  be  the  set  of  all  global  states,  and  C>  be  the  set  of  all  atomic 

propositions.  A  Kripke  structure  K  is  a  tuple  (S ,  Jt,  pi . pm),  where  tc  is  a  truth  assignment  to 

the  atomic  propositions  of  <D  for  each  global  state  s  in  S  (i.e.,  V p ,  s  such  that  E<t  and  s  e  S , 
tz(s ,  p )  £  {true,  false}),  m  is  the  number  of  agents,  and  p, ,  i  =  1 . m,  is  a  relation  on  the  glo¬ 

bal  states  in  S .  p,-  is  A; ’s  possibility  relation ;  (s ,  t)  e  p,  if  and  only  if  in  global  state  3  s  At 
considers  the  global  state  t  as  possible. 

We  will  now  review  a  formal  definition  of  the  truth  of  a  WFF  given  using  the  relation  l=,  a 
relation  between  states  and  WFFs  [HaM85].  “s  1=  p  ”  stands  for  “p  is  true  in  s  "  (which  is 
equivalent  to,  “w  satisfies  s 
\fp  e  <&,  s  I  =  p  if  and  only  if  tt(j ,  p )  =  true 
s  1=  p  A  q  if  and  only  if  s  I -p  and  s  1=  q 
s  1=  "p  if  and  only  if  s  I  *  p 

s  1=  Bip  if  and  only  if  Yr  such  that  (s,t)epitt  1=  p 

The  last  definition  above  formalizes  the  idea  that  an  agent  A,  believes  p  in  global  state  5 
if  and  only  if  p  is  true  in  all  the  states  that  A,  considers  possible  when  the  system  is  in  state  s . 
A  WFF  p  is  valid  (or  satisfiable )  if  and  only  if  s  1=  p  for  all  states  5  (or  for  some  state  5 , 
respectively).  It  may  be  observed  that  p  is  satisfiable  if  and  only  if  "p  is  not  valid. 

In  order  to  use  this  logic  for  reasoning  about  communication  security,  we  have  first  to 
relate  distributed  systems  to  Kripke  structures. 


3  In  the  sequel,  we  use  the  term  state  synonymously  with  the  term  global  state  except  when  explicitly  men¬ 
tioned  that  it  is  local  state.  There  is  a  distinction  between  a  world  and  a  global  state ,  but,  in  the  sequel,  this  distinc¬ 
tion  is  unimportant,  and  we  use  them  synonymously. 
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2.4.  A  Distributed  System  Model 

2.4.1.  States 

A  distributed  system  can  be  modeled  as  a  set  of  agents  communicating  with  each  other  via 
messages.  The  state  of  the  distributed  system  consists  of  the  states  of  all  its  agents.  The  state 
of  an  agent  consists  of  its  message  history,  which  is  the  sequence  of  messages  received  or  sent 
by  the  agent.  A  message  in  the  message  history  consists  of  a  WFF,  a  sender,  and  a  receiver.  At 
least  one  of  either  the  sender  or  the  receiver  is  the  agent  itself.  Messages  that  are  not  of  this  for¬ 
mat  are  not  of  interest  to  the  agent  and  are  not  interpreted  by  the  agent.  To  start  with,  we  make 
no  assumptions  about  the  security  in  the  system:  i.e.,  an  agent  may  send  or  receive  any  message, 
may  masquerade  as  any  other  agent,  and  so  on.  An  agent  may  impose  any  conditions  for 
accepting  a  message,  such  as  a  test  for  message  authenticity.  A  non-accepted  message  does  not 
become  a  part  of  the  agent’s  message  history.  The  state  of  an  agent  uniquely  determines  the 
agent’s  beliefs. 

Having  defined  states,  we  now  define  the  possibility  relations  in  a  Kripke  structure. 

2.4.2.  Possibility  Relations 

Consider  a  global  state  s  in  which  the  state  of  agent  A-t  is  s, .  The  following  definitions 
will  be  used: 

MS  (s, ,  Aj )  =  the  sequence  of  messages  in  the  message  history  of  A,  in  state  s,  that  were 
sent  to  Ay. 

MR  ( Si  ,Aj)  =  the  sequence  of  messages  in  the  message  history  of  A,  in  state  s,  that  were 
received  from  Ay. 

BR  (, Si ,  Ay)  =  the  set  of  WFFs  sent  in  the  message  sequence  MR(s, ,  Ay). 

Bel  ( Si )  =  the  set  of  beliefs  of  A,-  in  state  s, . 

Let  the  symbol  $  denote  the  subsequence  relationship  between  sequences  or  the  subset  relation¬ 
ship  between  sets.  The  possibility  relation  p,-  consists  of  all  pairs  of  states  s  and  t  such  that  V 

jj*i- 

(PCI)  Si  =  f,-,  i.e.,  the  ith  components  of  state  s  and  state  t  are  the  same, 

(PC2)  MR(^ ,  Ay)  <  MS(tj ,  A,)  (i.e.,  there  is  an  authenticated  channel  from  Ay  to  A,),  and 
(PC3)  BR(^ ,  Ay )  <  Bel(r, )  (i.e.,  Ay  has  not  lied  about  its  beliefs  to  A; ). 

We  will  refer  to  these  three  conditions  as  the  possibility  conditions  with  respect  to  s, .  Note 
that  each  possibility  relation  is  specific  to  an  agent. 

In  effect,  the  possible  states  from  the  viewpoint  of  A,-  are  those  states  of  the  distributed 
system  in  which  all  the  messages  in  A; ’s  message  history  are  authentic  and  the  senders  of  those 
messages  have  not  sent  false  messages  to  A,  (see  Figure  2.2).  Thus,  A,  holds  a  limited  optimis¬ 
tic  view  of  the  possible  distributed  system  states:  the  possible  states  are  secure  as  far  as  A;  is 
concerned.  In  the  real  state,  agents  might  have  sent  false  messages  to,  or  masqueraded  to  Ay. 
Note  that  states  in  which  Ay  has  masqueraded  to  Ak,k*i,  or  sent  false  beliefs  to  Ak  are  possible 
from  the  viewpoint  of  A, .  As  we  will  see,  we  will  make  use  of  trusts  to  turn  a  possible  secure 
state  into  the  real  state. 
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(a) 


Figure  2.2:  A  possible  state  from  the  viewpoint  of  A,  and  the  real  global  state,  (a)  A  possi¬ 
ble  global  state  from  agent  Ai  ’s  viewpoint:  the  possible  global  state  consists  of  the  real  lo¬ 
cal  state  Si  of  A;  and  a  possible  local  state  tj  of  Aj.  In  this  possible  global  state,  Ay  has 
sent  messages  msg  i  and  msg  2  to  A,  and  the  WFFs  that  msg  j  or  msg 2  contain  are  true,  (b) 
The  real  global  state  consists  of  the  real  local  states  st  and  Sj.  In  sjt  Aj  has  sent  message 
msgy,  the  WFF  contained  in  msg\  is  not  true  (Aj  has  lied  to  A,),  and  Aj  did  not  send 
msg 2-  Masquerading  as  Ay ,  some  other  agent  has  sent  msg  2  to  At . 


2.43.  Belief  Acquisition 

What  should  agent  A;  ’s  beliefs  be  ?  The  semantic  interpretation  of  a  belief  in  a  state  $,•  is 
that  the  believed  proposition  is  true  in  all  the  states  in  the  possibility  relation  p,  corresponding 
to  Si ,  i.e.,  in  all  the  possible  states.  The  system  is  not  necessarily  in  one  of  the  states  considered 
possible  by  A,- ,  and  hence  the  believed  proposition  need  not  be  true  in  the  real  world.  Any 
event  in  the  system  may  trigger  a  belief  acquisition  or  a  belief  revision.  The  events  of  interest 
depend  on  the  particular  application.  For  simplicity,  we  only  consider  the  reception  of  a  mes¬ 
sage  as  resulting  in  a  belief  acquisition.  When  A,-  receives  a  WFF  /  from  an  agent  Aj ,  A,-  adds 
the  belief  BtBjf  to  its  belief  database  if  and  only  if  Bjf  is  consistent  with  the  beliefs  that  A, 
has  previously  acquired  as  a  consequence  of  a  message  from  Ay  (i.e.,  if  By  /  cannot  be  proved 
from  Ai ’s  current  beliefs).  Thus,  incoming  messages  may  cause  an  agent  to  add  to  its  beliefs. 

In  the  logic,  WFFs  received  by  At  from  two  different  agents  will  not  be  inconsistent  with 
each  other.  For  example,  let  Ay  send  a  WFF  /  to  A,- ,  let  Ay  send  ~f  to  Ak,  and  let  Ak  send  By  / 
to  A;.  B,By/ ,  and  B,B*  By-/  are  consistent  with  each  other,  and  A,  will  add  both  the  beliefs. 
The  possible  states  from  the  viewpoint  of  A,-  in  this  example  include  those  in  which  By/  is  true 
at  Ay  and  Ay  has  sent  a  WFF  ~f  to  Ak  (thus,  By 7  is  true  at  Ak),  as  well  as  those  in  which  Ay 
has  sent  a  WFF  /  to  A,-.  To  see  why  agents  may  need  to  send  beliefs  in  a  real  system,  in  the 
example  of  Section  2.2.2  in  which  A;  establishes  a  channel  to  Ak  using  a  name  server  Ay,  Ak 
sends  its  key  keyk  to  Ay,  and  the  reception  of  ke yk  creates  a  belief  B ,  owner  (key  k,  Ak)  in  Ay.  Ay 
sends  this  belief  to  A; ,  and  this  creates  a  belief  B,  By  owner  (keyk ,  Ak)  in  At .  Notice  that  A y  must 
send  its  belief,  and  not  owner  (key k,  A  k)  to  A, ,  because,  that  keyk  belongs  to  Ak  is  only  a  belief 
of  Ay ,  and  it  is  not  certain  if  the  key  really  belongs  to  Ak .  Thus  for  instance,  since  we  are  not 
making  any  assumptions  about  the  security  behavior  of  various  agents  at  this  point,  some  other 
agent  may  have  sent  keyk  masquerading  as  Ak. 
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2.4.4.  Sending  Beliefs 

What  beliefs  can  an  agent  At-  send  to  another  agent  Aj  ?  A;  can  send  any  WFF,  whether 
or  not  the  WFF  is  a  belief  of  At .  However,  A}  accepts  a  belief  sent  by  Af  only  if  the  belief  is 
consistent  with  the  beliefs  that  Aj  has  previously  received  from  A,-.  Thus,  At  is  not  allowed  to 
change  its  mind.  It  is  not  necessary  that  a  WFF  sent  by  A(-  to  Aj  (1)  be  one  of  A; ’s  beliefs,  (2) 
be  consistent  with  A; ’s  beliefs,  or  (3)  be  consistent  with  the  beliefs  that  At  sends  to  other  agents. 

2 5.  A  Logic  of  Belief  for  the  Distributed  System  Model 

The  axioms  and  the  inference  rules  for  a  logic  of  belief  depend  on  the  properties  of  the 
possibility  relations.  The  properties  of  interest  are  transitivity ,  euclidean  property , 
serial  property ,  and  reflexivity .  A  relation  p  is  transitive  if  and  only  if  Vs,  t,u,((s,t)ep  and 
(t,u)6p)=>(i,«)ep.  A  relation  p  is  euclidean  if  and  only  ifVs ,  t,  u ,  ((s ,  t)  e  p  and  (s ,  u) 
e  p)  =>  (r ,  u )  e  p.  A  relation  p  is  serial  if  and  only  if  Vi ,  3*  sue*1  that  (s,t)e  p.  A  relation  p 
is  reflexive  if  and  only  if  Vs,  (s, s) £  p-  We  now  show  that  the  possibility  relations  for  our  dis¬ 
tributed  system  model  satisfy  exactly  the  first  three  of  these  properties. 

Vi.t  =  1,  ~.,m: 

(1 )  Transitivity :  for  any  states  s ,  t ,  and  u ,  suppose  (s,  t)  and  (t,  u)  are  in  p,  .  By  the  possi¬ 
bility  conditions,  s,-  =  q  and  ut  =  r, .  Thus,  u,  =  s,- .  For  all  j ,  j*i ,  r;  satisfies  the  last  two 
possibility  conditions  with  respect  to  ,  and  uj  satisfies  the  last  two  possibility  conditions 
with  respect  to  r,-.  However  st  =  r,  ,  and  hence  Uj  satisfies  the  last  two  possibility  condi¬ 
tions  with  respect  to  s, .  Thus  (s,  u)  belongs  to  the  possibility  relation,  and  p,  is  transi¬ 
tive. 

(2)  Euclidean  property :  consider  any  two  pairs  (s,  t)  and  (s,  u)  in  p,.  We  have  st  =  t,  and 

=  ui .  Thus,  r,  =  ui .  For  all  j,j*i,  Uj  satisfies  the  last  two  possibility  conditions  w.r.t.  s, . 
Since  s{  =  r, ,  u}  satisfies  the  last  two  possibility  conditions  w.r.t.  .  Thus,  all  the  three 
possibility  conditions  are  satisfied  for  the  pair  (r,  u).  Hence  (t ,  u )  belongs  to  p; ,  and  con¬ 
sequently  p,  is  euclidean. 

(3)  Serial  property :  the  possibility  conditions  are  constructive.  Thus,  for  every  state  it-  of  A,- , 
for  every  j,  j*i,  tj  can  be  constructed  directly  from  the  possibility  conditions  and 
independently  of  any  k,k*j,k*i.  This  is  because  the  possibility  conditions  impose  con¬ 
straints  only  on  the  messages  between  A,  and  other  agents,  and  on  the  beliefs  of  other 
agents.  There  are  no  constraints  on  the  messages  between  agents  A;  and  Ak,  if  j*i  and 
k  *i .  Thus,  for  every  state  of  s ,  3*  such  that  (s ,  t )  e  p(- .  Hence  p,-  is  serial. 

The  actual  state  may  not  be  one  of  the  possible  states.  Thus,  the  possibility  relation  is 
not  reflexive ,  and  a  believed  WFF  may  not  be  true  in  the  real  world. 

Given  these  properties  of  the  possibility  relations,  an  axiom  schema  must  be  chosen  for 
the  modal  logic  of  belief.  Several  axiom  schemas  are  possible.  An  axiom  schema  not  only  pro¬ 
vides  a  sound  and  complete  formal  system  but  also  determines  whether  the  satisfiability  of 
WFFs  is  decidable  or  not  in  the  logic,  and  hence  must  be  chosen  carefully.  The  following 
axiom  schema  is  known  to  provide  a  sound  and  complete  characterization  of  our  notion  of 
belief,  and  a  decidable  satisfiability  of  WFFs  [HaM85].  The  axiom  schema  consists  of  the  fol¬ 
lowing  axioms: 
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for  all  i ,  t  =  1, m: 

Al.  All  substitution  instances  of  propositional  tautologies. 

A2. BiP  A Bt(p  =>q)  => Bt q . 

A3.Bip  ->B[BiP  ( introspection  of  positive  belief). 

A4.  ~Bip  =>Bi~BiP  ( introspection  of  negative  belief). 

A5.  ~B,  (false)  ( agent  i  does  not  believe  a  contradiction  ). 

and  the  following  inference  rules: 
forall/.i  =  1  , ....  m: 

Rl.  From  p  and  p  =>  q  infer  q  (modus  ponens ). 

R2.  From  p  infer  (generalization  ). 

Some  of  these  axioms  directly  correspond  to  the  properties  of  the  possibility  relations  pi,...pm: 
A3  corresponds  to  transitivity,  A4  to  the  euclidean  property  and  AS  to  the  serial  property. 

2.6.  A  Theory  of  Trust 

The  beliefs  that  an  agent  has  may  not  be  true  in  the  real  world.  Trusts,  encoded  as  proper 
axioms,  are  used  to  derive  the  truth  (or  falsity)  of  beliefs.  A  trust  is  any  proper  axiom  added  to 
the  modal  logic  of  belief  presented  in  Section  2.3,  i.e.,  any  WFF  that  is  assumed  to  be  valid  in 
addition  to  the  axioms  in  die  logic.  In  the  logic,  we  started  with  no  assumptions  about  the  secu¬ 
rity  behavior  of  agents.  In  the  theory,  we  explicidy  add  the  necessary  assumptions  in  a  pre¬ 
cisely  codified  manner,  and  these  assumptions  are  regarded  as  trusts.  The  simplest  trusts  are 
implications  of  the  form,  BtF  =>  F ,  where  F  is  a  WFF.  Since  any  WFF  can  be  regarded  as  a 
trust  specification,  this  approach  gives  a  lot  of  power  and  generality  to  expressing  trust  relation¬ 
ships  [Ven88].  Security  theories  [Lan81],  which  are  first-order,  can  be  incorporated  into  our 
theory  of  trust 

As  was  observed  in  Section  2.2,  adding  proper  axioms  to  a  logic  results  in  a  theory.  Let 
us  assume  that  we  have  a  theory  consisting  of  the  modal  logic  of  belief  and  some  trusts  (which 
are  the  proper  axioms).  What  are  the  effects  of  adding  a  new  trust  to  an  existing  theory  ?  If  the 
theory  is  decidable  4  and  the  new  trust  can  be  proved  as  a  theorem  in  the  theory,  there  is  no  need 
to  add  the  new  trust.  If  the  new  trust  is  not  a  theorem,  adding  it  gives  rise  to  a  new  theory.  If 
the  new  trust  does  not  invalidate  the  old  theory  5,  the  monotonicity  of  the  logic  is  retained  and 
the  new  theory  will  continue  to  be  complete  with  respect  to  the  old  model.  However,  the  new 
theory  is  no  longer  sound  with  respect  to  the  old  semantic  model  (i.e.,  the  semantic  model 
corresponding  to  the  old  theory).  Thus,  a  new  model  has  to  be  constructed  so  that  the  new 
theory  is  sound  and  complete  with  respect  to  the  new  model.  Proving  soundness  of  the  new 
theory  w.r.t.  the  new  model  is  usually  easy,  but  proving  completeness  is  more  often  than  not 
cumbersome,  non-intuitive,  and  difficult  However,  the  possible  worlds  semantic  model  is 
highly  amenable  to  incremental  modification  such  that  the  new  theory  is  sound  and  complete 
with  respect  to  the  modified  model.  The  modification  consists  of  adding  new  constraints  to  pos¬ 
sibility  relations  pt, ....  pm  in  the  Kripke  structure  (this  will  be  illustrated  in  the  next  section). 
This  is  exactly  the  reason  why  the  possible  worlds  model  was  chosen:  it  provides  a  powerful 


4  A  theory  is  decidable  if,  for  any  WFF  in  the  theory,  it  can  be  determined  whether  the  WFF  is  satisfiable  or 

not. 

5  The  following  three  statements  are  equivalent  to  each  other:  (1)  a  WFF  does  not  invalidate  a  theory,  (2)  the 
negation  of  a  WFF  cannot  be  proved  as  a  theorem,  (3)  a  WFF  is  satisfiable  in  the  theory. 
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and  flexible  framework  for  customizing  a  logic. 

A  trust  specification  can  be  thought  of  as  an  abstract  representation  of  a  policy  in  the  dis¬ 
tributed  system.  The  next  step  is  pragmatic:  Given  a  trust  policy,  what  are  the  protocols  neces¬ 
sary  to  ensure  that  the  policy  holds  in  the  system  ?  The  following  section  illustrates  the  method 
for  synthesizing  protocols  from  a  given  abstract  trust  specification. 

2.7.  Synthesizing  Protocols  from  Abstract  Trust  Specifications 

Consider  a  distributed  system  in  which  there  are  three  agents  Aj ,  Ay  and  Ak .  Let  Q  be  any 
WFF.  Let  “V<2.  BjBiBkQ  =>  BiBjBkQ"  be  the  given  trust  specification  that  is  to  be  imple¬ 
mented  in  the  distributed  system.  Informally,  this  trust  specification  says  that,  for  all  well- 
formed  formulas  Q ,  if  Ay  believes  that  A,-  believes  that  Ak  believes  Q ,  it  is  necessary  that  Aj 
believes  that  Ay  believes  that  Ak  believes  Q.  This  particular  trust  specification  may  not 
correspond  to  any  particularly  useful  notion  of  trust  in  a  real  system.  However,  it  serves  as  a 
good  example  for  illustrating  how  an  abstract  trust  specification  can  be  translated  into  concrete 
distributed  system  protocols. 

To  see  clearly  the  advantages  of  the  formal  theory  of  trust,  let  us  first  look  at  the  solution 
that  an  informal  analysis  might  yield.  For  the  trust  to  hold,  A;  has  to  believe  BjBkQ  before  Aj 
believes  BiBkQ.  A,-’s  belief  can  be  created  by  a  message  from  Aj  containing  BjBkQ.  A/s 
belief  can  be  created  by  a  message  from  Aj  containing  BtBkQ.  Thus,  for  the  trust  to  hold,  Aj 
sends  a  message  containing  BjBkQ  to  Aj  before  Aj  sends  a  message  containing  BtBkQ  to  Ay. 

Let  us  now  see  what  the  formal  techniques  yield.  The  outline  of  the  formal  method  is  as 
follows:  Given  a  WFF  such  as  “ B}BiBkQ  => BiBjBkQ”  as  the  trust  specification,  we  semant¬ 
ically  interpret  it.  For  this  WFF,  interpreting  the  beliefs  in  the  antecedent  and  the  consequent 
yields  possibility  relations,  which  contain  pairs  of  states.  For  the  consequent  to  be  true  when¬ 
ever  the  antecedent  is  true,  the  possibility  relations  of  the  consequent  must  be  subsets  of  those 
of  the  antecedent.  Possibility  relations  are  nothing  but  sets  of  pairs  of  states,  and  hence  we 
obtain  relationships  between  the  set  of  states  of  the  antecedent  and  the  set  of  states  of  the  conse¬ 
quent.  States  are  nothing  but  message  histories,  and  thus  we  obtain  relationships  between  mes¬ 
sage  histories  of  agents,  which  with  some  more  manipulation  are  reduced  to  such  conditions  as, 
for  instance,  that  an  agent  must  send/receive  a  particular  message  before  or  after 
sending/receiving  some  other  message,  and  so  on. 

The  given  trust  specification  is  required  to  be  true  in  all  system  states.  Let  the  state  of  the 
system  be  s ,  and  the  states  of  Aj,  Ay  and  Ak  be  Sj ,  Sj  and  sk  respectively  (see  Figure  2.3).  If  the 
antecedent  BJBiBkQ  of  the  trust  specification  is  not  true  in  s ,  the  trust  specification  'tBjBiBkQ 
=>  B^jB^  ”  is  trivially  true  in  s.  Suppose  the  antecedent  is  true  in  s .  The  antecedent  is 
created  by  a  message  received  by  Ay  such  that  the  message  sender  field  is  Aj  and  the  message 
contains  BiBkQ.  Thus,  the  message  exchanges  specified  by  condition  Ms  below  must  have 
taken  place  in  s : 

Message  Condition  Ms:  Ay  receives  BiBkQ  from  Aj. 

Since  5  is  the  real  state  (as  opposed  to  a  possible  state)  of  the  system,  we  say: 

State  Condition  Cs :  s  is  the  real  system  state. 

The  antecedent  BjBiBkQ  is  a  belief.  Its  semantic  interpretation  is  that  there  is  a  possible  state  t 
such  that  (s,  t)  e  p;  ,  and  the  message  exchanges  specified  by  condition  Mt  below  must  have 
taken  place  in  t : 

Message  Condition  Mt:  A;  sends  BtBkQ  to  Ay. 


Trust  Spec.:  For  all  Q,  BjBiBkQ  =>  BiBjBkQ 


Consequent 


Figure  2.3:  The  Kripke  structure  semantic  interpretation  of  the  trust  BjBiBkQ  => 
BtB.BkQ.  The  local  states  of  A,,  AJt  and  Ak  in  the  various  global  states  have  been 
derived  using  the  possibility  conditions  PCI,  PC2  and  PC3.  For  example,  in  global  state 
t ,  the  local  state  of  A,  is  f, ,  the  local  state  of  Ay  is  Sj ,  and  the  local  state  of  Ak  is  tk .  States 
s  and  x  are  real  states.  All  other  states  are  possible  states. 


Since  t  is  a  possible  state,  the  possibility  conditions  PCI,  PC2  and  PC3  must  be  satisfied  in  t : 
State  Conditions  Ct: 

(a)  tj  =sj. 

(b)  There  is  an  authenticated  channel  from  A,  to  Ay, 

(c)  A,  sends  a  message  BiBkQ  only  if  it  believes  BkQ ,  i.e.,  only  if  A,  has  received  BkQ 
from  Ak .  In  other  words.  A,  does  not  lie  about  its  beliefs  to  A; . 

Now  consider  state  t.  By  M,  and  C, ,  A,  believes  BkQ ,  i.e.,  BiBkQ  is  true.  If  we  further  inter¬ 
pret  BtBkQ ,  we  obtain  that  in  state  t  there  is  a  possible  state  u  such  that  (r,  u)  e  p;,  and  the 
message  exchanges  specified  by  condition  Mu  must  have  taken  place  in  u : 

Message  Condition  Mu:  Ak  sends  BkQ  to  A,  . 

Since  u  is  a  possible  state,  the  possibility  conditions  PCI,  PC2  and  PC3  must  be  satisfied  in  u  : 
State  Conditions  Cu: 

(a)  w*  =tk. 

(b)  There  is  an  authenticated  channel  from  Ak  to  A,- . 


17 


(c)  Ak  believes  Q ,  i.e.,  Ak  has  not  lied  about  its  beliefs  to  At . 

This  concludes  the  interpretation  of  the  antecedent  Let  us  now  interpret  the  consequent, 
BiBjBkQ.  For  BiBjBkQ  to  be  true  in  a  real  system  state  x,  At  must  have  received  B}BkQ 
from Aj  in*: 

Message  Condition  Mx:  A,-  has  receives  BjBk  Q  from  Aj . 

Since  *  is  a  real  state  of  the  system,  we  say: 

State  Condition  Cx:  *  is  the  real  state  of  the  system. 

The  belief  BiBjBkQ  of  the  consequent  is  interpreted  in  exactly  the  same  way  as  that  of  the 
antecedent,  and  we  obtain  that  there  must  be  a  possible  state  y  such  that  (*,  y )  e  p,  ,  and  the 
message  exchanges  specified  by  My  below  must  have  taken  place  in  y : 

Message  Condition  My:  Aj  sends  BjBkQ  to  . 

Since  y  is  a  possible  state,  the  possibility  conditions  must  be  satisfied  in  y : 

State  Conditions  Cy: 

(a ) y;  =*;• 

(b)  There  is  an  authenticated  channel  from  Aj  to  A; . 

(c)  Aj  believes  in  BkQ ,  i.e.,  Aj  has  received  BkQ  from  Ak.  In  other  words,  Aj  has  not 
lied  about  its  beliefs  to  AL . 

Interpreting  BjBkQ  in  y  yields  that  there  must  be  a  possible  state  z  such  that  (y,z)ep;,  and 
the  following  message  exchange  must  have  taken  place  in  z : 

Message  Condition  Mz:  Ak  sends  BkQ  to  Aj . 

Since  z  is  a  possible  state,  the  possibility  conditions  must  be  satisfied  in  z : 

State  Conditions  Cz: 

(a  )zk-yk. 

(b)  There  is  an  authenticated  channel  from  Ak  to  Aj . 

(c)  Ak  believes  Q  is  true,  i.e.,  Ak  has  not  lied  about  its  beliefs  to  Aj . 

This  concludes  the  interpretation  of  the  consequent. 

Let  Pi—ihs .  P j-ihs  >  and  denote  the  possibility  relations  of  At ,  Aj ,  and  Ak ,  respectively,  on 
the  antecedent  side,  and  p,_rAj,  p;_r/li ,  and  pk_rhs  denote  the  possibility  relations  of  Ai ,  Aj ,  and 
Ak,  respectively,  on  the  consequent  side.  The  trust  specification  requires  that  the  consequent  be 
true  whenever  the  antecedent  is  true.  Since  the  beliefs  of  the  antecedent  and  consequent  are 
determined  by  their  respective  possibility  relations  6 7,  the  possibility  relations  required  for  the 
consequent  must  be  subsets  of  the  possibility  relations  required  for  the  antecedent  This  yields 
two  constraints,  R1  and  R2: 

Constraint  Rl:  p must  be  a  subset  of  p^ .  p,-^  contains  (x,y),  and  p,_/fe  contains  (r, 
u).  Thus,  the  set  of  pairs  of  states,  {(*,  y)j  must  be  a  subset  of  {(r,  u)}.  Thus  set  of  states, 
{* }  must  be  a  subset  of  {r } ,  and  [y }  must  be  a  subset  of  {u  } 1 .  If  a  set  of  states  {r  t}  is  to  be  a 


6  See  Section  2.3.3. 

7  Sets  of  states  are  used  in  place  of  single  states  because,  the  various  state  and  message  conditions  do  not 
uniquely  specify  the  states,  rather  they  define  sets  of  states. 
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subset  of  a  set  of  states  {r2},  the  state  conditions  of  r,  must  be  satisfied  in  r2  and  the  message 
exchange  conditions  of  r  x  must  be  satisfied  prior  to  the  message  exchange  conditions  of  r2  (i.e., 
the  message  history  of  rx  must  be  a  subset  of  the  message  history  of  r^.  Thus  ”{x }  must  be  a 
subset  of  {f }"  yields: 

Rl.l:  Cx  must  be  satisfied  in  Ct.  Thus,  in  the  system’s  real  state,  A;  must  have  an  authen¬ 
ticated  channel  to  Ay,  and  A;  must  send  BiBkQ  to  Ay  only  after  receiving  a  message  con- 
taining  BkQ  from  Ak . 

R1J:  Mx  must  be  satisfied  prior  to  Mt.  Thus,  A,-  must  receive  BjBkQ  from  Ay  before 
sending  B{  Bk  Q  to  Aj . 

Since  we  are  only  interested  in  constraints  that  affect  real  system  states  (rather  than  possible 
states),  and  since  both  y  and  u  are  possible  states,  we  will  not  elaborate  on  the  result  that  {y } 
must  be  a  subset  of  {u } . 

Constraint  R2:  p j_rhs  must  be  a  subset  oipHhs.  Thus,  {(y,  z)}  must  be  a  subset  of  [(s,  t)}. 
Therefore,  {y }  must  be  a  subset  of  {s } ,  and  {z  }  must  be  a  subset  of  {r } .  "  {y )  must  be  a  subset 
of  {s }"  yields: 

R2.1:  Cy  must  be  satisfied  in  Cs .  In  Ay ’s  real  state,  A}  must  have  an  authenticated  chan¬ 
nel  to  Ai ,  and  Ay  must  send  BjBkQ  to  A,  only  after  receiving  a  messages*  Q  from  Ak. 

R2J:  My  must  be  satisfied  prior  to  Ms.  Thus,  A}  must  send  B}BkQ  to  A,  before  receiv¬ 
ing  BtBkQ  fromA,-. 

Notice  that  from  R1  we  have  "{y }  must  be  a  subset  of  {u}'\  and  from  R2  we  have  ”{y }  must 
be  a  subset  of  {a }".  Thus,  the  state  conditions  of  u  and  s  must  be  identical: 

R2J:  u  must  be  a  real  state,  and  hence,  in  Ak ’s  real  state,  Ak  must  have  an  authentic  mes¬ 
sage  channel  to  A, ,  and  Ak  must  send  Q  to  A,  only  if  it  believes  Q . 

R2  also  yields  that  {z  }  must  be  a  subset  of  {f }.  Thus: 

R2.4:  Cz  must  be  satisfied  in  Ct.  In  the  system’s  real  state,  by  R  1.1,  C,  is  satisfied,  and 
hence  Cz  must  be  satisfied.  Hence  in  the  system’s  real  state,  Ak  must  have  an  authentic 
message  channel  to  Ay ,  and  Ak  must  send  BkQ  to  Ay  only  if  it  believes  Q . 

R2.5:  Mz  must  be  satisfied  prior  to  M , .  But  M,  may  become  satisfied  at  any  instant  after 
Mu.  Hence,  Mz  must  be  satisfied  prior  to  Mu.  Thus,  Ak  must  send  BkQ  to  Ay  before 
sending  it  to  A,- . 

This  concludes  the  derivation  of  the  constraints  that  are  necessary  and  sufficient  for  BjBiBkQ 
=>  BiBjBkQ  to  hold  in  the  distributed  system.  Notice  that  the  constraints  we  have  derived  are 
in  fact  the  protocols  that  agents  A,-,  Ay  and  Ak  must  follow  if  the  trust  is  to  be  satisfied  in  the 
system.  Since  in  this  procedure  we  map  a  trust  to  its  semantic  interpretation,  we  obtain  the  pro¬ 
tocols  that  are  necessary  and  sufficient  for  the  trust  to  hold.  Any  WFF  can  be  mapped  to  its 
semantic  interpretation,  and  hence  semantic  interpretation  can  be  carried  out  for  any  trust  result¬ 
ing  in  the  protocols  necessary  and  sufficient  for  the  trust  to  hold.  Since  we  have  not  made  any 
particular  assumptions  with  respect  to  the  nature  of  the  system,  its  models,  or  the  trusts,  this 
methodology  of  obtaining  protocols  necessary  and  sufficient  for  a  given  trust  to  hold  is  general 
in  its  applicability  to  trusts,  systems,  and  their  models.  Even  for  such  a  simple  trust 
specification  which  involves  just  three  agents,  the  constraints  that  we  obtained  earlier  using  a 
casual  interpretation  form  a  small  subset  of  those  we  have  obtained  using  a  formal  interpreta¬ 
tion.  Thus,  formalism  is  essential,  and  mere  intuition  is  not  dependable. 
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It  can  be  shown  that,  if  any  of  the  constraints  R.1.1,  R1.2,  R2.1,  R2.2,  R2.3,  R2.4  and  R2.5 
are  not  satisfied,  this  may  result  in  a  violation  of  the  trust  Let  us  illustrate  this  by  an  example. 
Suppose  part  of  constraint  R2.1,  namely, 

“ Aj  sends  By  Bk  Q  to  A{  only  after  receiving  a  message  containing  Bj  Q  from  A*”, 

is  not  satisfied  in  a  system.  The  trust  specification  'V  Q,  BjBiBkQ  =>  BtBjBkQ  "  is  falsified 
at  the  end  of  the  following  sequence  of  steps  (see  Figure  2.4): 

Step  1  (Figure  2.4(a)):  BkQ  is  true.  Ay  sends  “ BjBk~Q  ”  to  A,,  and  this  creates  a  belief 
"BiBjBk~Q"mAi. 
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Figure  2.4:  A  scenario  which  shows  that  the  trust  can  be  falsified  if  constraint  R2.1  is  not 
satisfied,  (a)  The  sending  of  BjBk~Q  by  Ay  to  A,-  creates  a  belief  BtBjBk~Q  in  A;,  (b) 
The  sending  of  Bk Q  by  Ak  to  A,-  and  Ay  creates  beliefs  BtBkQ  and  BjBkQ.  (c)  The  send¬ 
ing  of  BjBkQ  by  Ay  to  A,  is  rejected  by  Ai  as  it  is  inconsistent  with  the  message  A;  re¬ 
ceived  from  Ay  in  (a),  (d)  The  sending  of  B{BkQ  by  A;  to  Ay  creates  a  belief  BjBiBkQ . 
Since  BiBjBkQ  is  not  true,  the  trust  is  falsified  at  this  juncture. 
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Step  2  (Figure  2.4(b)):  Ak  sends  its  belief  "BkQ  "  first  to  Aj  and  then  to  A,- .  At  this  point,  both 
A j  and  A,-  have  belief  "Bk  Q 

Step  3  (Figure  2.4(c)):  Aj  sends  "BjBkQ "  to  A/.  Since  At  has  earlier  received  " BjBk~Q "  from 
Aj  in  step  1,  and  since  "BkQ  "  is  inconsistent  with  "Bk~Q ",  A,-  rejects  the  message  from  Aj  con¬ 
taining  "BjBkQ".  Notice  that  the  trust  BjB,BkQ  =>  BtBjBkQ  is  not  violated.  This  is  because 
the  trust  is  violated  only  when  the  antecedent  of  the  trust  BjBlBkQ  is  true  but  the  consequent 
BtBjBkQ  is  not  true.  However,  at  the  end  of  this  step  the  antecedent  is  not  true. 

Step  4  (Figure  2.4(d)):  At-  sends  its  belief  "BtBk  Q "  to  Aj.  This  creates  a  belief  ", BjBiBkQ "  in 
Aj.  Thus  the  antecedent  of  the  trustV  Q,BjBtBkQ  =>BiBjBkQ  is  true.  But  the  consequent 
BiBjBkQ  is  not  true  (recall  that  BtBjBk~Q  is  true  at  the  end  of  step  1),  and  hence  the  trust 
"BjBiBkQ  =>  BiBjBkQ"  becomes  false. 

2.8.  Conclusion 

We  have  developed  an  axiomatic  theory  of  trust  in  distributed  systems.  The  theory  of 
trust  is  based  on  modal  logics  of  belief.  Any  well  formed  formula  assumed  to  be  valid  in  addi¬ 
tion  to  the  axioms  of  the  logic  is  considered  as  a  trust  specification.  This  gives  us  much  power 
and  generality  in  expressing  trust  relationships.  We  have  given  a  formal  method  for  synthesiz¬ 
ing  protocols  which  are  necessary  and  sufficient  for  implementing  a  given  trust  specification  in 
a  distributed  system.  In  comparison,  even  for  some  simple  trust  specifications,  informal 
methods  do  not  yield  all  the  required  protocols.  In  Kripke’s  theory,  any  well  formed  formula 
can  be  given  a  semantic  interpretation,  and  since  our  method  of  synthesizing  protocols  that  are 
necessary  and  sufficient  for  a  trust  to  hold  is  based  on  giving  a  semantic  interpretation  to  the 
trust,  our  method  is  general  in  its  applicability  to  trusts,  systems,  and  their  models. 


CHAPTER  3 


ANALYSIS 


Trust  arises  primarily  in  establishing  channels  for  secure  communication.  This  chapter 
analyzes  the  trust  properties  of  various  channel  establishment  mechanisms.  We  define  a  chan¬ 
nel  precisely  and  show  that  the  only  way  to  establish  a  new  channel  is  by  composing  a  sequence 
of  existing  adjacent  channels.  Channel  composition  mechanisms  are  commonly  based  on  either 
public  key  encryption  (PKE)  or  single  key  encryption  (SKE).  We  present  methods  for  reason¬ 
ing  about  the  trust  characteristics  of  PKE-  and  SKE-based  channel  composition  mechanisms. 
PKE-based  channel  composition  requires  3-agent  trust  predicates  called  authenticity  trusts.  The 
trust  requirements  of  SKE-based  channel  composition  are  much  more  extensive  than  those  of 
PKE-based  channel  composition.  The  differences  in  trust  properties  of  PKE  and  SKE-based 
channel  compositions  are  used  to  compare  these  two  methods,  and  derive  several  advantageous 
properties  of  the  former  over  the  latter. 

3.1.  Introduction 

It  was  observed  in  Chapter  1  that  in  any  system,  given  a  set  of  existing  channels,  the  only 
way  to  establish  new  channels  is  by  composing  a  sequence  of  adjacent  existing  channels. 
Channel  composition  mechanisms  may  require  the  satisfaction  of  some  trust  relationships. 
Having  given  a  precise  meaning  to  the  notion  of  trust  in  the  previous  chapter,  we  analyze  the 
trusts  inherent  in  various  channel  composition  mechanisms  in  this  chapter.  The  next  chapter 
discusses  the  synthesis  of  distributed  systems  so  as  to  satisfy  a  given  set  of  trust  relationships. 
The  analyses  presented  in  this  chapter  must  precede  the  design  methodology  of  the  next  chapter 
because,  to  be  able  to  make  use  of  a  mechanism  in  a  distributed  system  that  is  designed  to 
satisfy  a  given  set  of  trusts,  one  has  to  know  the  trust  properties  of  the  mechanism.  These  ana¬ 
lyses  provide  insight  into  the  basic  structure  and  the  limitations  of  mechanisms  with  regard  to 
their  trust  requirements. 

In  Section  3.2  we  define  a  channel  precisely,  and  prove  that  the  only  way  to  establish  new 
channels  is  by  composing  existing  channels.  In  order  to  analyze  trusts  formally  in  various  chan¬ 
nel  composition  mechanisms,  the  fundamental  actions  in  the  mechanisms  must  be  encoded  in 
the  language  of  the  logic  of  trust  Section  3.3  introduces  the  atomic  propositions  that  encode 
these  fundamental  actions.  Channels  are  based  on  encryption,  and  there  are  two  commonly 
used  encryption  techniques,  namely,  public  key  encryption  (PKE)  and  single  key  encryption 
(SKE).  Sections  3.4-3.7  analyze  the  trust  relationships  required  in  PKE-  and  SKE-based  chan¬ 
nel  composition  mechanisms,  with  Sections  3.4  and  3.5  considering  the  composition  of  two 
channels,  and  Sections  3.6  and  3.7  considering  the  composition  of  more  than  two  channels. 
Making  use  of  the  results  of  these  formal  analyses,  Section  3.8  discusses  the  advantages  of 
PKE-based  mechanisms  over  SKE-based  mechanisms  for  channel  composition.  Finally,  Sec¬ 
tion  3.9  concludes  the  chapter. 

3.2.  Channels 

In  order  to  analyze  trusts  in  channel  composition  mechanisms,  we  first  have  to  define  a 
channel  precisely. 
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3 2.1.  Definition  of  Channel 

A  channel (Ai ,  Ak)  is  said  to  exist  between  two  agents  A,  and  Ak  if  and  only  if  the  follow¬ 
ing  two  conditions  are  satisfied  (see  Figure  3.1): 

(1)  Authenticity  Condition:  A,  can  authenticate  messages  coming  from  Ak,  i.e.,  Af  can 
determine  whether  a  message  it  received  has  been  really  sent  by  Ak,  and 

(2)  Privacy  Condition:  A,-  can  send  a  secret  message  to  Ak ,  A,-  knows  the  identities  of  agents 
other  than  Ak  that  can  decrypt  the  secret  message  (because  these  agents  might  possess  the 
key  with  which  the  secret  message  is  encrypted),  and  the  decryption  of  the  secret  message 
by  those  agents  is  acceptable  to  At . 

Algorithms  for  ensuring  both  these  conditions  are  executed  at  A,-  using  information  such  as 
encryption  keys  associated  with  Ak .  The  privacy  condition  is  motivated  by  the  observation  that 
agents  other  than  A;  and  Ak  may  have  been  involved  in  establishing  channel(A,  t  Ak),  in  which 
case  those  agents  may  possess  the  channel  encryption  key  and  hence  have  the  capability  to 
decrypt  secret  messages  on  the  channel.  The  privacy  condition  requires  that  A,-  precisely  know 
the  identities  of  those  agents.  As  we  shall  see  in  later  sections,  the  agents  that  may  possess  the 
channel  encryption  key  are  those  that  are  in  the  path  between  A,  and  Ak  in  the  system’s  name 
space,  and  with  each  such  agent,  A,-  has  to  have  a  trust  relationship  that  guarantees  that  the 
agent  will  not  compromise  the  security  of  channel(A, ,  Ak).  In  Chapter  4,  we  shall  see  how  A, 
can  control  the  set  of  such  agents.  Notice  that  channel(A,  ,  Ak)  involves  messages  in  either 
direction  and  does  not  imply  that  messages  can  only  flow  from  A;  to  Ak.  Channel(A, ,  Ak)  and 
channeKA* ,  A, )  together  form  a  bidirectional  channel  between  A,  and  Ak . 

3 22.  Channel  Establishment 

We  now  show  that  in  any  system,  given  a  set  of  existing  channels,  the  only  way  to  estab¬ 
lish  a  new  channel  is  by  composing  a  sequence  of  adjacent  existing  channels.  Even  though  this 
result  seems  very  intuitive,  it  is  a  very  powerful  result.  As  we  shall  see  in  Sections  3.4-3.7,  this 
result  greatly  simplifies  the  analysis  of  trust  properties  of  channel  establishment  mechanisms. 
A  channel  established  by  composing  other  channels  is  called  a  dependent  channel .  On  the 


Authenticity 

< — . . 


Privacy 


Figure  3.1:  Channel(A,- ,  Ak ) 
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other  hand,  an  independent  channel  does  not  use  any  other  channels  for  its  establishment.  The 
system  provides  independent  channels  at  the  time  of  system  configuration.  Independent  chan¬ 
nels  are  established  using  mechanisms  external  to  the  system,  such  as  courier-exchanges 
between  agents. 

Theorem  3.1  (Channel  Composition  Theorem):  Suppose  that,  in  a  system  consisting  of 
agents  A,-,  A/,  A/, ...,  A  ",  Ak,  the  only  existing  channels  are  channel(A;,  A,1),  channel^1,  Ay2), 
....  channel04",  Ak),  which  form  a  path  between  Ai  and  Ak.  Any  mechanism  that  establishes 
channel(A,-,  Ak)  necessarily  involves  messages  on  all  the  existing  channels,  and  the  mechanism 
must  necessarily  consist  of  a  succession  of  compositions  of  two  adjacent  channels. 

Proof:  The  proof  is  by  induction  on  the  number  of  agents  A Af . A"  in  the  path  between  A,- 

and  A*. 

Base  Case:  Suppose  n  =  0.  The  result  is  trivially  true. 

Induction  Step:  Assuming  that  the  theorem  holds  for  n  <  m ,  we  show  that  it  holds  for  n  =  m . 
Let  the  sequence  of  channels  form  the  only  path  between  A;  and  Ak  (see  Figure  3.2).  The  estab¬ 
lishment  of  channel(A; ,  Ak)  requires  that  Ak ’s  encryption  key  be  received  by  A, .  Since  At-  can 
receive  messages  only  on  its  existing  channels,  and  since  its  only  existing  channel  is 
channel(A; ,  Ay‘),  for  channel(A15  Ak)  to  be  established,  A,  must  receive  Ak ’s  key  in  a  message 
from  Aj 1  on  channel(A,-,  A/).  Thus,  a  message  on  channel(A, ,  Aj)  is  necessary,  and  Ay1  must 
have  possessed  Ak  s  key  prior  to  sending  it  to  At.  But  Aj1  possessing  Ak's  key  implies  that 
channel^1,  Ak)  exists.  Consequently,  channel(A j ,  Ak)  must  have  been  established  prior  to 
A/'s  sending  of  A*’s  key  to  A,.  Hence,  channel(A(,  Ak)  was  composed  from  two  adjacent 
channels,  channel(A, ,  A /)  and  channel(A/,  Ak),  and  the  composition  involved  a  message  on 
channel(A/ ,  A/).  However,  from  the  induction  hypothesis,  channel  (A,1,  Ak)  involved  messages 


Figure  3.2:  The  Channel  Composition  Theorem 


24 


on  all  the  channels  in  the  path  between  A/  and  -A*,  and  hence  channel^/,  Ak)  was  the  result  of 
a  succession  of  adjacent  two-channel  compositions  between  A /  and  Ak.  Thus,  any  mechanism 
that  establishes  channel^ ,  Ak)  must  necessarily  involve  messages  on  all  the  existing  channels, 
and  must  necessarily  consist  of  a  succession  of  adjacent  two-channel  compositions.  This  com¬ 
pletes  the  proof  of  the  Channel  Composition  Theorem. 

□ 


Channel  establishment,  which  is  a  sequence  of  adjacent  channel  compositions,  requires 
trust  relationships.  The  trust  relationships  required  are  such  that,  when  they  hold  in  the  system, 
the  authenticity  and  privacy  conditions  of  the  newly  established  channel  are  satisfied,  and,  when 
they  do  not  hold,  these  conditions  are  not  satisfied. 

In  the  next  few  sections,  we  analyze  the  trust  requirements  of  various  channel  composition 
mechanisms.  The  trust  requirements  depend  on  the  algorithms  used  for  ensuring  the  two  chan¬ 
nel  conditions.  We  will  consider  the  two  commonly  used  kinds  of  these  algorithms,  namely, 
public  key  encryption  algorithms  (PKE)  [DiH76,RSA78]  and  single  key  encryption  algorithms 
(SKE)  [NBS77]. 

In  order  to  do  a  formal  analysis  of  the  various  mechanisms,  we  have  to  encode  the  funda¬ 
mental  actions  of  the  mechanisms  into  the  language  of  the  logic  of  trust.  This  is  accomplished 
in  the  next  section. 

3J.  Atomic  Propositions 

Fundamental  actions  at  a  given  level  of  abstraction  are  encoded  in  the  language  of  the 
logic  of  trust  by  atomic  propositions.  Atomic  propositions  are  so  called  because  they  are  the 
most  basic  well  formed  formulas  in  the  language  of  the  logic,  and  an  atomic  proposition  cannot 
be  described  in  terms  of  any  other  atomic  propositions.  Thus,  the  set  of  atomic  propositions  is 
not  unique  to  a  system,  but  depends  on  the  level  of  abstraction  at  which  we  are  analyzing  the 
system.  For  our  analysis  of  trust  relationships  in  PKE-  and  SKE-based  channel  composition 
mechanisms,  the  fundamental  actions  are  key-generation,  message-sending  and  message- 
reception.  These  are  abstracted  by  the  following  atomic  propositions: 

(1)  owner(key„  A,)  (Ownership  Proposition):  PKE  and  SKE  algorithms  make  use  of 
encryption  keys  belonging  to  agents.  Let  a  key  denote  an  encryption  key  from  a  finite  key 
space  KEY.  An  ownership  proposition  encodes  the  generation  of  a  key.  Owner(keyx,  A|) 
returns  true  if  and  only  if  agent  At-  generated  the  encryption  key  keyx.  Given  a  notion  of 
feasible  computation,  it  is  assumed  that  an  agent  can  generate  keys  (perhaps  using  random 
number  generators)  that  cannot  be  generated  using  a  feasible  computation  by  any  other 
agent  [Den82],  Note  that  the  generator  of  the  ke>  is  always  its  owner.  Thus,  if  a  key 
server  generates  a  key  and  hands  it  over  to  an  agent,  the  key  server  retains  the  ownership 
of  the  key.  In  Section  3.4,  we  shall  describe  using  beliefs  the  relationship  between  an 
agent  and  a  key  that  the  agent  receives  from  a  key  server. 

(2)  send(A,,  msgx):  This  atomic  proposition  abstracts  the  sending  of  a  message  msgx  by  an 
agent  A,-.  Suppose  msgx  can  be  derived  using  a  feasible  computation  from  another  mes¬ 
sage  msgy.  From  the  viewpoint  of  security,  sending  msgy  on  a  channel  has  also  the  effect 
of  sending  msgx  on  the  channel.  Thus  send(At,  msgx)  returns  true  if  and  only  if  A,  sends 
a  message  msgy  such  that  at  the  time  of  sending,  A,  can  derive  msgx  from  msgy  using  a 
feasible  computation.  Msgx  can  be  identical  to  msgy .  Notice  that  a  second  agent  A j  may 
be  able  to  derive  msgz  from  msgy;  if  A,  cannot  derive  msgz  from  msgy,  then  the 
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proposition  is  not  true.  In  practice,  msgx  is  a  message  that  can  be  obtained  by  decrypting 
msgy  using  a  key  that  A,  possesses. 

(3)  receive(A1,  msgx):  This  atomic  proposition  abstracts  the  receiving  of  a  message  msgx  by 
an  agent  At .  Suppose  msgx  can  be  derived  from  another  message  msgy  using  a  feasible 
computation.  From  the  viewpoint  of  security,  receiving  msgy  on  a  channel  has  also  the 
effect  of  receiving  msgx  on  the  channel.  Thus  receive(A|,  msgx)  returns  true  if  and  only  if 
Ai  receives  a  message  msgy  such  that,  at  the  time  of  receiving,  A,-  can  derive  msgx  from 
msgy  using  a  feasible  computation. 

We  are  now  fully  equipped  to  proceed  with  the  analysis  of  trust  relationships  in  channel 
composition  mechanisms.  For  ease  of  understanding,  the  analysis  considers  the  following  cases 
separately  (in  the  order  of  increasing  complexity): 

(1)  Composition  of  two  independent  channels  using  PKE, 

(2)  Composition  of  two  independent  channels  using  SKE, 

(3)  Composition  of  two  dependent  channels  using  PKE  or  SKE,  and 

(4)  Composition  of  more  than  two  independent/dependent  channels  using  PKE  or  SKE. 

In  the  sequel,  the  composition  of  two  independent  channels  will  be  termed  independent 
channel  composition  and  that  of  two  dependent  channels  will  be  termed  dependent  channel 
composition. 

3.4.  Composition  of  Two  PKE-based  Independent  Channels 

Suppose  channel  (A,,  Ak)  is  to  be  obtained  from  channel  (A ;,  Ay)  and  channel(Ay,  Ak).  In 
the  PKE  scheme  [DiH76,RSA78],  each  agent  has  a  two  keys,  namely,  a  public  key  and  a 
private  key  that  form  a  pair.  A  message  sent  encrypted  with  a  public  key  can  only  be  received 
by  decrypting  it  with  the  corresponding  private  key,  and  vice  versa.  To  compose  channel(A, , 
Ak)  from  channel(A,,  Ay)  and  channel  (Ay,  Ak),  Ak  selects  a  (public  key,  private  key)  pair  and 
sends  the  public  key  to  Ay  on  channel(Ay ,  Ak)  (see  Figure  3.3).  In  practice,  Ay  may  be  a  name 
server  that  stores  Ak's  public  key.  When  A,  sends  a  request  for  Ak  ’s  public  key  to  Ay ,  Ay  for¬ 
wards  Ak’s  public  key  to  A,-  on  channel(A,-,  Ay).  For  channel(A,-,  Ak)  to  be  established,  it  is 
necessary  and  sufficient  for  At-  to  know  Ak's  public  key. 

3.4.1.  Trusts  in  PKE-based  Channel  Composition 

Let  us  look  at  the  PKE-based  channel  composition  mechanism  more  formally.  When  Ak 
selects  a  public-key  private-key  pair  ( key ^ub,  key%riv),  it  adds  a  belief  “ Bkowner(key%ub ,  Ak)". 
Since  the  public  key  uniquely  determines  the  private  key,  a  second  belief  claiming  ownership  of 
the  private  key  is  redundant.  Note  that  it  is  not  necessary  for  Ak  to  be  the  owner  of  the  key  pair, 
it  suffices  if  Ak  believes  to  be  the  owner.  Thus,  an  agent  that  does  not  have  the  ability  to  gen¬ 
erate  keys  can  obtain  a  key  pair  from  some  other  agent  and  at  its  risk,  use  that  key  pair  as  its 
own. 

Ak  then  sends  its  belief,  Bk  owner  (key ^ub,  Ak)  to  Ajy  and  this  creates  a  belief, 
BJBkowner(key?ub,  Ak )  in  Ay.  When  Ay  receives  a  request  for  Ak' s  public  key  from  A;,  Ay 
replies  with  its  belief,  B^ownerO&jyf^,  Ak).  This  reply  from  Ay  to  A,-  creates  a  belief, 
Bi Bj Bk owner  ( key '£ub,  Ak)  in  A,-. 

However,  the  belief  BiBjBkowner(key£ub  Ak)  is  not  sufficient  for  channel(A;,  Ak)  to  be 
established  at  A;.  For  channel(A,-,  Ak)  to  be  established  at  A; ,  A,  must  prove  that  Ak  believes 
key%ub  to  be  its  public  key,  i.e.,  A;  must  prove  that  B k  owner  (key £ub,  Ak)  is  true.  A,  is  not 
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Figure  3.3:  PKE-based  channel  composition  mechanism 


required  to  prove  owner  (key£ub,  Ak)  because  it  is  permissible  for  A,  to  obtain  a  key  pair  from  a 
key  server  and  to  use  the  key  pair  as  its  own.  In  such  a  case  the  key  server  retains  the  owner¬ 
ship  of  the  key  pair,  whereas  A,  adds  a  belief  B k owner  {key!’uh,  Ak).  The  required  trust  relation¬ 
ship  must  be  such  that  A,-  can  infer  Bkowntx(key^ub,  Ak)  from  its  belief  BiBJBkcrwner{key£ub, 
Ak).  Rewriting  this  requirement  as  a  formula,  we  obtain  the  following  trust  for  PKE-based 
channel  composition: 

TA(Aj,  Aj,  Ak)  (Authenticity  Trust):  V  keyg“b  in  the  public-key  space  PKEY , 
BlBjBkowns.kkeyZub,  Ak )  =>  Bkovmcxikey^ub,  Ak). 

The  trust  is  called  authenticity  trust  because  its  validity  requires  Ay  to  forward  correctly  to 
A,-  the  public  key  that  Ay  received  from  Ak.  In  other  words,  Ay  has  to  forward  authentic  infor¬ 
mation  about  Ak  to  A; . 

Interpreting  TA  (A,- ,  Ay ,  Ak)  as  “A,  trusts  Ay  for  Ak  ”  gives  a  connotation  that  A,-  is  inevit¬ 
ably  the  only  loser  if  TA (A; ,  A jfAk)  is  not  true.  We  will  now  show  that  falsity  of  TA (A,-,  Ay, 
Ak)  may  be  disadvantageous  to  either  A;  or  Ak,  and  hence  TA(Ait  Ay,  Ak)  should  be  interpreted 
as  an  agreement  involving  A, ,  Ay  and  Ak  in  which  Ay  has  agreed  to  correctly  forward  Ak ’s  key 
to  A,- . 

If  we  use  a  client-server  model  of  a  distributed  system,  there  are  two  cases  of  interest  with 
respect  to  the  interaction  between  A,-  and  Ak  (see  Figure  3.4): 

(1)  A,-  is  a  client  and  Ak  is  a  server.  As  an  example,  let  Ak  be  a  time  server.  Suppose  A; 
sends  a  time-of-day  request  to  Ak,  and  A;  receives  a  reply  purporting  to  be  from  Ak.  Fal¬ 
sity  of  Ta  (A,- ,  Ay ,  Ak)  can  result  in  A,-  accepting  a  reply  from  another  agent  Am  which  in 
collusion  with  Ay  is  masquerading  as  Ak .  Thus,  A,  accepts  an  incorrect  time-of-day  reply, 
and  A,  is  the  loser  for  the  falsity  of  TA  (A,- ,  Ay ,  Ak). 
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(2)  Ai  is  a  server  and  Ak  is  a  client.  As  an  example,  let  At  be  a  file  server.  Falsity  of 
Ta  (Ai ,  Aj ,  Ak)  can  result  in  an  agent  Am  colluding  with  Ay  to  masquerade  as  Ak  in  send¬ 
ing  a  file-write  request  to  the  file  server  A,- .  At  accepts  an  incorrect  write  to  Ak  ’s  file,  and 
thus  Ak  is  the  loser  for  the  falsity  of  TA(Ait  Aj,  Ak).  (Ai  might  be  a  loser  too  if  it  has  to 
pay  damages.) 

In  summary,  falsity  of  TA(Ait  Aj,  Ak)  can  be  disadvantageous  to  either  A,  or  A*  or  both,  and 
hence  TA (Ai ,  A j,  A k)  should  be  interpreted  as  an  accord  involving  A, ,  A;  and  Ak ,  in  which  Aj 
has  agreed  to  forward  correctly  Ak ’s  key  to  A; . 

3.4.2.  Necessity  and  Sufficiency  of  Authenticity  Trust 

Trust  requirements  depend  on  the  channel  composition  mechanism  under  consideration. 
A  set  of  trust  relationships  is  sufficient  w.r.t.  a  channel  composition  mechanism  if,  by  using  the 
trusts  as  assumptions,  the  two  channel  conditions  presented  in  Section  3.2  can  be  shown  to  be 
satisfied  for  the  newly  composed  channel.  A  set  of  trusts  is  necessary  w.r.t.  a  channel  composi¬ 
tion  mechanism  if,  for  each  assignment  to  the  variables  in  the  trusts  that  makes  at  least  one  of 
the  trusts  false,  the  same  assignment  also  makes  at  least  one  of  the  two  channel  conditions  not 
satisfied.  If  a  set  of  trusts  is  necessary  and  sufficient  w.r.t.  a  channel  composition  mechanism, 
the  trusts  in  the  set  exactly  encode  the  assumptions  inherent  in  the  channel  composition 
mechanism.  The  following  theorem  proves  that  the  authenticity  trust  is  necessary  and  sufficient 
in  PKE-based  channel  composition  mechanism. 

Theorem  3.2:  The  authenticity  trust  is  necessary  and  sufficient  w.r.t.  PKE-based  channel  com¬ 
position  mechanism. 


Figure  3.4:  Interpreting  authenticity  trust:  Illustration  of  how  either  A,-  or  A*  may  lose  ow¬ 
ing  to  falsity  of  TA  (Ai ,  A; ,  Ak).  Am  in  collaboration  with  Ay ,  masquerades  as  Ak  to  At  (a) 
msg -l  is  a  time  request,  msg-2  is  a  time  reply  from  Am  msg- 3  is  a  request  for  A*  ’s  pub¬ 
lic  key,  and  msg is  a  reply  containing  Am  ’s  public  key.  (b)  msg- 1  is  a  write-request  to 
Ak's  file,  msg-2  is  a  request  for  Ak’s  public  key,  and  msg -3  is  a  reply  containing  Am ’s 
public  key. 


28 


Proof:  Suppose  channel^,  A;)  and  channel^,  Ak)  are  composed  to  form  channel^,-,  Ak) 
using  the  PKE-based  channel  composition  mechanism.  We  first  show  that  the  authenticity  trust 
is  sufficient,  and  then  show  that  it  is  necessary. 

The  proof  that  authenticity  trust  is  sufficient  is  straight-forward.  For  channel(A(- ,  Ak)  to 
have  been  established,  A,-  must  have  received  key?1*  on  its  existing  channel^,.  Ay),  hence 
B i Bj Bk ownerfitey^"*,  Ak)  is  true.  By  the  authenticity  trust,  Bkovmer(key%ub,  Ak)  must  be  true. 
Thus,  Ak  alone  uses  for yf‘v  and  the  properties  of  public  key  encryption  ensure  the  satisfaction  of 
both  the  channel  conditions.  Thus,  the  authenticity  trust  is  sufficient  for  channel(A,-,  Ak)  to  be 
established. 

Let  “V”,  “A”,  and  denote  inclusive  OR,  AND,  and  complementation  respectively. 
To  show  that  the  authenticity  trust  is  necessary,  notice  that  this  trust  can  be  written  as: 

Bkowner(key£ub,  Ak)  V  ~BiBjBkowner  ( key gub,  Ak).  (3.1) 

The  negation  of  formula  (3.1)  is: 

~Bk owner  {key^,  Ak)  h.BiBjBk  owner  {key!™*’ ,  Ak).  (3.2) 

The  only  variable  in  the  above  formula  is  key .  Suppose  that,  for  some  assignment  to  key%  , 
formula  (3.2)  is  satisfied,  i.e.,  both  ~BkovmcT(.keyr,  Ak)  and  BiBJBkovmer(keyPub,  Ak)  are 
true.  Since  BiBjBko\meTikeyPub,  Ak)  is  true,  A;  has  received  key?'1*’  during  the  creation  by 
composition  of  channel(A,- ,  Ak),  and  hence  A,-  uses  key£ub  as  the  key  of  channel  (A,- ,  A*).  Thus, 
when  A;  receives  a  message  purporting  to  be  from  Ak,  Ai  uses  keyZub  for  authenticating  the 
received  message.  If  the  received  message  has  been  encrypted  with  key fnv,  A,  determines  that 
the  message  sender  is  Ak .  However,  since  ~Bkowncr{key£  ,  Ak)  is  true,  Ak  does  not  use  key%riv 
to  encrypt  messages,  and  hence  the  message  was  not  sent  by  Ak .  Thus,  the  authenticity  condi¬ 
tion  of  channel(A;,  Ak)  becomes  false.  Thus,  if  any  assignment  to  the  only  variable  in  the 
authenticity  trust  makes  the  trust  false,  the  same  assignment  can  make  the  authenticity  condition 
of  channel(A, ,  Ak)  false.  This  completes  the  proof  that  authenticity  trust  is  necessary  w.r.L  the 
PKE-based  channel  composition  mechanism. 

□ 


There  is  another  method  by  which  we  can  show  that  the  authenticity  trust  exactly  encodes 
the  assumptions  inherent  in  PKE-based  channel  composition  mechanism,  and  that  is  by  viewing 
the  trust  as  a  well-formed  formula  in  the  logic  of  belief  and  carrying  out  its  formal  semantic 
interpretation.  Techniques  developed  in  Section  2.7  are  used  to  carry  out  the  formal  semantic 
interpretation.  The  following  section  illustrates  the  method. 

3.4.3.  Semantic  Interpretation  of  the  Authenticity  Trust 

Let  the  state  of  the  system  be  s.  Consider  the  antecedent  of  the  authenticity  trust, 
Bi Bj Bk owner(jfceyf Ak).  The  semantic  interpretation  of  this  belief  is  that  there  is  a  possible 
state  t  such  that  (s1t)e  p and  the  following  conditions  are  satisfied  in  t  (see  Figure  3.5): 
(Al):  The  state  of  A,  is  the  same  as  that  in  s , 


1  p,-  is  A,  ’s  possibility  relatioa  The  method  of  semantically  interpreting  a  belief  was  described  in  Section  2.7. 
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(A2):  there  is  an  authenticated  channel  from  Aj  to  At , 

(A3):  Aj  has  sent  BjBk owner ikeyf?*,  Ak )  to  A,- ,  and 

(A4):  BjBkovmeT(keyPub,  Ak)  is  true,  i.e.,  A}  has  received  “fi^ownerftey^,  Ak)"  from 

Now  consider  state  t.  By  condition  A4,  BjBkowneT(lcey£ub,  Ak)  is  true  in  t,  and  interpreting 
this  belief  yields  that  there  is  a  possible  state  u  such  that  (/,  u)  e  p,,  and  the  following  condi¬ 
tions  are  satisfied  in  u : 

(A5):  The  state  of  Aj  is  same  as  that  in  r,  hence  conditions  A2,  A3  and  A4  are  satisfied  in 
u, 

(A6):  there  is  an  authenticated  channel  from  Ak  to  A} , 

(A7):  Ak  has  sent  Bk owner(feyf ub,  Ak)  to  A},  and 
(A8):  Bkovme.r(key%ub,  Ak )  is  true. 

Now  consider  the  consequent  of  the  authenticity  trust,  Bkovmsx(keyflub,  Ak).  The  tmst  requires 
that  in  any  state  in  which  the  antecedent  is  true,  the  consequent  also  be  true.  Since  the 
antecedent  is  true  in  state  s ,  we  need  also  the  consequent  to  be  true  in  state  s .  Comparing  con¬ 
dition  A8  and  the  consequent,  we  obtain  that  the  consequent  is  true  in  u .  Thus,  for  the  conse¬ 
quent  to  be  true  in  s ,  it  must  be  the  case  that  s  =  u .  However,  in  u ,  conditions  A5,  A6,  A7  and 
A8  are  satisfied.  Thus,  in  the  real  state  s ,  conditions  A5,  A6,  A7  and  A8  must  be  satisfied.  But 
A5  requires  that  A2,  A3  and  A4  be  satisfied.  Thus,  in  real  state  s ,  A2,  A3,  A4,  A6,  A7  and  A8 
must  be  satisfied.  Notice  that  these  conditions  are  exactly  the  assumptions  on  which  the  PKE- 
based  channel  composition  mechanism  is  founded: 


30 


A2:  Existence  of  channel  (A  ,• ,  Aj ), 

A3  and  A4:  Aj  correctly  forwards  Ak ’s  key, 

A6:  Existence  of  channel(A;- ,  Ak ),  and 

A7  and  A8:  Ak  selects  a  public-key  private-key  pair  and  sends  the  public  key  to  Aj . 

This  concludes  the  verification  that  the  authenticity  trust  exactly  encodes  the  assumptions 
inherent  in  the  PKE-based  channel  composition  mechanism,  and  hence  the  authenticity  trust  is 
necessary  and  sufficient  w.r.t.  the  PKE-based  channel  composition  mechanism. 

35.  Composition  of  Two  SKE-based  Independent  Channels 

Suppose  that  channel(A/t  Ak)  is  to  be  composed  from  channel(A, ,  Aj)  and  channel(A,, 
Ak).  In  the  SKE  scheme  [NBS77],  there  is  one  key  belonging  to  each  agent,  and  the  key  is 
referred  to  as  the  agent’s  single  key.  A  message  sent  encrypted  with  a  single  key  can  only  be 
received  by  decrypting  it  with  the  very  same  single  key,  and  vice  versa.  To  obtain  channel(A, , 
Ak)  from  the  composition  of  channel(At-,  Aj)  and  channel(A j ,  Ak),  Ak  selects  a  single  key  and 
sends  the  single  key  to  Aj  in  a  message  msgkj  on  channel(Ay,  Ak)  (see  Figure  3.6).  When  A,- 
sends  a  request  for  Ak  s  key  to  A} ,  As  forwards  Ak  s  single  key  to  A,  in  a  message  msg}i  on 
channel(A,- ,  Aj).  It  is  necessary  for  A,  to  know  Ak ’s  single  key  for  channel(A, ,  Ak)  to  be  esta¬ 
blished.  Thus,  the  authenticity  trust  is  necessary  as  in  the  PKE  scheme. 

There  is  a  major  difference  between  the  PKE  and  SKE  schemes  with  regard  to  trust 
requirements.  In  the  PKE  scheme,  an  agent  such  as  Ay,  even  though  it  has  obtained  Ak ’s  public 
key  during  channel  composition,  cannot  masquerade  as  Ak  or  decrypt  secret  messages  on 
channel^ ,  Ak).  But  in  the  SKE  scheme,  knowing  Ak  ’s  single  key  enables  Aj  to  masquerade  as 


Figure  3.6:  SKE-based  channel  composition  mechanism 
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d*  and  to  decrypt  secret  messages  by  eavesdropping  on  channeled,-,  d*).2  Thus,  authenticity 
and  privacy  conditions  of  channeled,- ,  Ak)  are  not  satisfied.  Hence,  the  authenticity  trust  is  not 
sufficient  w.r.L  the  SKE-based  channel  composition  mechanism. 

To  determine  the  remaining  trust  requirements  of  the  SKE  scheme,  notice  that  the 
definition  of  channeled,- ,  Ak)  requires  d;  to  know  the  set  of  agents  other  than  d,-  and  Ak  that  can 
receive  secret  messages  sent  on  channeled,- ,  Ak).  The  set  of  agents  that  can  decrypt  secret  mes¬ 
sages  on  channeled,-,  Ak)  are  those  that  have  obtained  Ak’s  single  key.  During  the  channel 
establishment  process,  an  agent  may  have  obtained  Ak's  single  key  either  when  the  key 
traversed  the  path  from  Ak  to  A j  in  message  msgkj  or  when  the  key  traversed  the  path  from  Aj 
to  A  i  in  message  msgji . 

Consider  an  agent  dml  that  may  have  obtained  the  key  by  receiving  msgkj  3.  Notice  that, 
by  definition,  channeled*,  Aj)  allows  Ak  to  send  a  secret  message  to  Aj  so  that  Ak  knows  the 
identity  of  agents  who  can  decrypt  the  secret  message.  Thus  the  identity  of  agent  Am  x  is  known 
to  Ak  if  Ak  sends  msgkj  as  a  secret  message  on  channeled* ,  A} ). 

Now  consider  an  agent  Aml  that  may  have  obtained  the  key  by  receiving  msgji .  By 
definition,  channeled, ,  d,-)  allows  d,  to  send  a  secret  message  to  d,  so  that  Aj  knows  the  iden¬ 
tity  of  agents  who  can  decrypt  the  secret  message.  Thus,  the  identity  of  agent  Am  2  is  known  to 
Aj  if  Aj  sends  msgji  as  a  secret  message  on  channeled,,  At ). 

To  ensure  that  d,  knows  the  identity  of  Aml  and  Am2,  the  following  mechanism  can  be 
used:  Ak  sends  the  string  “dml,  BkowntT(keyx,  d*)”  to  Aj  in  a  secret  message  msgkj  on 
channeled*,  Aj).  When  Aj  receives  msgkj,  it  decrypts  msgkj  using  the  key  of  channeled*,  Aj) 
and  authenticates  msgkj  using  the  key  of  channeled,,  d*)  4.  At  this  juncture,  Aj  knows  the 
identities  of  both  dml  and  dm2.  Aj  sends  the  string  “dml,  Am2,  BjBkovmer(keyx,  Ak)"  to  d,-  in 
a  secret  message  msgji  on  channeled,- ,  d,-).  When  d,  receives  msgji  *  it  decrypts  msgkj  using  the 
key  of  channeled, ,  d, )  and  authenticates  msgkj  using  the  key  of  channeled,  ,d,). 

The  assumptions  in  the  above  mechanism  are  formally  captured  in  the  following  trust 
definition: 

Tf(A„  Aj,  Ak)  (Forwarding  Trust):  V  keyx ,  Am  x,  Aml, 

Bi Bj Bk owner  {keyx ,  d* )  =>  (((send(d,-,  keyx)  A  receive(dm2.  keyx))  =>  B,B,receive(dm2, 

keyx))  A  ((send(d*,  keyx)  A  receive(dml,  keyx))  =>  BjBk receive(dml,  keyx))  A 

(BjBk  receive(dm  j,  keyx)  =>  B,B,B*receive(dml,  keyx))). 

The  antecedent  in  the  above  definition  of  forwarding  trust  encodes  that  d,  has  received  d*  ’s  key 
through  Aj . 

The  first  term  of  the  consequent,  “(send(dy-,  keyx)  A  receive(dm2,  keyx ))  => 
B,Byreceive(dm2,  keyx)"  encodes  that,  if  An2  is  able  to  obtain  d*  ’s  key  by  decrypting  msgji .  Aj 
informs  d,-  of  dm2’s  identity. 

The  first  factor  in  the  second  term  of  the  consequent,  “(send(d*,  keyx)  A  receive(dml, 
keyx))  =>  BjBk receive(dml,  keyx)"  encodes  that,  if  dml  is  able  to  obtain  d*’s  key  by 


2  Notice  that,  even  if  chaitnel(A,- ,  A* )  does  not  physically  go  through  Aj ,  Aj  can  still  decrypt  secret  messages  by 
eavesdropping  on  the  channel. 

3  The  set  of  agents  {Ami }  may  be  empty,  but  that  is  only  a  special  case. 

1  Notice  that  channel(At,  Ay)  is  necessary  for  Ak  to  send  a  secret  message  to  Ay,  whereas  channel(Ay ,  At )  is 
necessary  for  Ay  to  authenticate  a  message  sent  by  At . 
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decrypting  msgkj,  Ak  informs  Ay  of  Ami’s  identity.  The  second  factor,  “ByB*receive04ml, 
lceyx )  =>  BiBjBkTCceive(Aml,  keyx )”  encodes  that  A;  correctly  forwards  the  identity  of  Aml  to 
A/. 

To  recapitulate,  the  forwarding  trust  allows  A,-  to  determine  the  identities  of  all  agents  Am 
that  may  have  obtained  keyx  by  decrypting  msgkj  or  msgji .  Three  more  assumptions  are  neces¬ 
sary  for  the  conditions  of  channel^,- ,  Ak)  to  be  satisfied.  Firstly,  Am  must  not  reveal  keyx  to 
any  other  agent  Az .  This  assumption  is  captured  by  the  Key  Privacy  Trust  below.  Secondly,  for 
the  authenticity  condition  of  channeled,  Ak)  to  be  satisfied,  Am  must  not  use  keyx  to 
masquerade  on  channel(A,- ,  Ak).  This  assumption  is  captured  by  the  Trust  against  Masquerad¬ 
ing  defined  below.  Lastly,  for  the  privacy  condition  of  channel(Az,  Ak)  to  be  satisfied,  Am  must 
not  decrypt  and  reveal  a  secret  message  sent  on  channel(A,-,  Ak).  This  final  assumption  is  cap¬ 
tured  by  die  Message  Privacy  Trust  defined  below. 

Tkp(A|,  Am,  Ak)  (Key  Privacy  Trust):  V  keyx,BiBkowner(Jceyx,Ak)  =>  ~send(Am,  keyx). 

TAM»sq(A„  Am,  Ak)  (Trust  against  Masquerading):  V  msgx,  (receive(A; ,  msgx )  A  £r,send(A*, 
msgx))  =>  "send(Am ,  msgx). 

Tmp(A,,  Am,  Ak)  (Message  Privacy  Trust):  V  msgz,  (send(A;,  msgx)  A  Bt receive^*,  msgx)  A 
receive(Am ,  msgx  ))  =>  ~send(Am ,  msgx  ). 

These  three  trusts  are  required  of  any  agent  that  possesses  Ak  ’s  key.  The  three  trusts  together 
form  the  Key  User-Possessor  Trust,  denoted  by  TjQjp. 

The  following  theorem  summarizes  all  the  above  results  about  SKE-based  channel  com¬ 
position. 

Theorem  3.3:  Suppose  that  in  a  system  there  are  agents  A,  and  Ak ,  and  channel(A, ,  Ak)  is  to  be 
established  using  SKE-based  composition.  There  must  exist  an  agent  Ay  such  that  there  are 
four  channels,  channel(A,,  Aj),  channel(Ay ,  A,),  channel(Ay,  Ak)  and  channe^A*,  Aj).  The 
authenticity  tmst,  the  forwarding  trust  and  the  key  user-possessor  trust  are  necessary  and 
sufficient  w.r.t.  SKE-based  channel  composition. 

Proof:  By  the  Channel  Composition  Theorem,  there  must  exist  an  agent  Ay  such  that  there  are 
channels  (A,-,  Aj)  and  (Aj,  Ak).  By  the  definition  of  forwarding  trust,  the  forwarding  trust 
requires  privacy  of  messages  from  Ak  to  Ay  ,  and  from  A;  to  A,  .  Thus,  channelfA*,  Aj)  and 
channel(Ay ,  A; )  are  required  for  forwarding  trust.  We  show  below  that  the  forwarding  tmst  is 
necessary,  and  hence  channel(At ,  A; )  and  channel(A; ,  Aj )  are  necessary. 

We  first  show  that  the  authenticity  tmst,  the  forwarding  mist  and  the  key  user-possessor 
trust  are  sufficient,  and  then  that  they  are  necessary. 

In  SKE-based  composition  of  channel(A; ,  Ak)  from  channels  (A; ,  A;)  and  (Ay,  Ak),  when 
A,-  uses  keyx  for  channel(A,-,  Ak),  it  must  have  received  keyx  on  its  existing  channel  with  Aj, 
and  hence  BiB;B(towner(fe^z,  Ak)  is  true.  Applying  the  authenticity  tmst,  Bkovmer(keyx,  Ak) 
is  true.  Thus,  Ak  uses  keyx  to  send  messages  to  A,-  and  to  receive  secret  messages  from  A,-.  We 
have  to  show  that  no  other  agent  possessing  keyx  compromises  the  two  conditions  of 
channel(At- ,  Ak). 

Consider  a  fourth  agent  that  possesses  keyx .  The  agent  must  have  obtained  keyx  either  (1) 
directly  from  A;  or  Ak,  or  (2)  indirectly  from  A;  or  Ak,  i.e.,  through  a  sequence  of  agents,  start¬ 
ing  with  some  agent  that  received  directly  from  Aj  or  Ak .  Since  the  forwarding  tmst  TF(Ai,  Aj , 
Ak)  is  tme,  A;  knows  the  identities  of  all  agents  Am  that  have  obtained  keyx  directly  from  Aj  or 
Ak.  Since  the  key  privacy  tmst  TKP (A, ,  Am,  Ak)  is  tme,  no  such  agent  Am  can  obtain  keyx 
indirectly.  For  each  Am ,  the  tmst  against  masquerading  is  tme,  hence  no  other  agent  except  Ak 
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sends  messages  using  keyx  and  the  authenticity  condition  of  channeled,-,  Ak)  is  satisfied.  For 
each  Am,  the  message  privacy  trust  is  true,  and  hence  no  other  agent  except  Ak,  A and  Am 
obtain  a  secret  message  sent  by  At  using  keyx .  But  d,-  knows  the  identities  of  Ak,  Aj  and  Am , 
and  hence  the  privacy  condition  of  channel(d,- ,  Ak)  is  satisfied.  Thus,  the  trusts  are  sufficient 
for  channel(d,- ,  A k)  to  be  established. 

The  proof  that  the  authenticity  trust  is  necessary  is  the  same  as  that  in  Theorem  3.2. 

We  now  show  that  each  assignment  to  the  variables  keyx,  msgx,  dml,  dm2  and  Am  that 
falsifies  either  the  forwarding  trust  or  the  key  privacy  trust  or  the  trust  against  masquerading  or 
the  message  privacy  trust  can  also  falsify  one  of  the  two  conditions  of  channeled, ,  Ak). 

Consider  the  forwarding  trust.  Its  negation  can  be  written  as: 

(B  i  Bj  Bk  owner  ( keyx ,  A  k)  A  send  (A j,  keyx )  A  receive  (dm  2,  keyx )  A 

~BiBj  receive  (dm2,  keyx ))  V(BiBJBkowner(keyx,Ak)  A  send  (A  k,  keyx )  A 

receive  (dm  i ,  keyx )  A  'Bj  Bk receive  (Am  j ,  keyx )  V (B, BjBk owner  ( keyx ,  Ak )  A 

BjBkreceive(Aml,  keyx )  A  'Bi Bj Bk receive (dm t ,  keyx))  (3.3) 

In  the  above  expression,  if  the  first  disjunct  is  satisfied,  d,-  uses  keyx  as  the  key  of  channeled, , 
Ak),  dm2  receives  keyx,  but  d,  does  not  receive  the  identity  of  Aml.  Thus,  the  second  channel 
condition  is  not  satisfied.  If  either  the  second  or  the  third  disjunct  is  satisfied,  d,  uses  keyx  as 
the  key  of  channeled,-,  Ak),  dml  receives  keyx,  but  d,-  does  not  receive  the  identity  of  dml. 
Thus,  again,  the  second  channel  condition  is  not  satisfied.  Hence  the  forwarding  trust  is  neces¬ 
sary. 

The  negation  of  the  message  privacy  trust  can  be  written  as  follows: 
send  (d, ,  msgx )  A  B,  receive  (Ak ,  msgx )  A  receive  (Am ,  msgx )  A 

send(Am,  msgx)  (3.4) 

If  expression  (3.4)  is  satisfied,  d,  sends  a  secret  message  msgx  t o  Ak,  Am  is  able  to  decrypt 
msgx,  and  dm  sends  msgx  to  some  other  agent.  In  this  instance,  the  privacy  condition  of 
channeled, ,  Ak )  is  not  satisfied. 

The  negation  of  the  key  privacy  trust  can  be  written  as  follows: 

fi, Bk owner  ( keyx  ,Ak)  A  send (dm ,  keyx )  (3.5) 

If  expression  (3.5)  is  satisfied,  d,-  uses  keyx  as  the  key  of  channeled,- ,  Ak),  and  Am  sends  keyx  to 
some  other  agent  whose  identity  d,-  may  not  know.  Thus,  the  privacy  condition  of  channel(d,- , 
Ak)  is  not  satisfied. 

The  negation  of  the  trust  against  masquerading  can  be  expressed  as: 

receive  (d ,- ,  msgx )  A  Bt  send  (A k ,  msgx )  A  send  (A m,  msgx )  (3.6) 

If  expression  (3.6)  is  satisfied,  d,-  receives  a  message  msgx,  d,  determines  that  the  sender  of 
msgx  is  Ak,  but  the  true  sender  of  msgx  is  Am .  Thus,  the  authenticity  condition  of  channel(d,-, 
Ak)  is  not  satisfied. 
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All  of  the  above  trusts,  i.e.,  the  authenticity  trust,  the  forwarding  trust,  the  key  privacy 
trust,  the  trust  against  masquerading  and  the  message  privacy  trust  are  necessary. 

This  concludes  the  proof  of  Theorem  3.3. 

□ 


The  key  and  message  privacy  trusts  exhibit  an  interesting  property.  In  SKE-based  compo¬ 
sition  of  channel(A,- ,  Ak)  from  channels  (AL  ,  Ay )  and  (Ay ,  Ak),  let  the  key  of  channel(Ay ,  A, )  be 
keyy .  For  channel(Ay ,  A, )  to  exist,  for  each  agent  A„  that  possesses  keyy ,  message  privacy  trust 
TMP(Aj,An,Ai )  must  be  true.  When  Ay  sends  Ak ’s  key,  keyx  on  channel(Ay,  A,),  agent  A„  can 
receive  keyx.  However,  Tmp(Aj,  A„,  A,)  requires  that  A„  not  reveal  a  message  sent  on 
channel(Ay ,  A; )  and  hence  not  reveal  keyz .  The  condition  that  A„  not  reveal  keyx  is  exactly  the 
requirement  of  the  key  privacy  trust,  TKP (A, ,  An,Ak).  Thus,  the  validity  of  the  key  privacy 
trust,  Tkp  (Ay ,  A„,  A,),  follows  from  the  validity  of  the  message  privacy  trust,  TUP  (Ay,  A„,  A,). 
This  is  summarized  by  the  following  theorem. 

Theorem  3.4  (Privacy  Trust  Theorem):  V  AitAj,Ak,An,  keyz , 

(Bt BjBk owne^A* ,  keyx )  A  TMP (Ay ,  An ,  A,- ))  =>  Tgp {Ai,An,Ak). 

□ 


3.6.  Composition  of  Two  Dependent  Channels 

Suppose  that  channel(Af- ,  Ak)  is  to  be  composed  from  channels  (A,,  Ay)  and  (Ay ,  Ak).  Let 
channels  (A, ,  Ay)  and  (Ay ,  A*)  be  dependent  channels  with  channel(A; ,  Ay )  having  been  com¬ 
posed  earlier  from  channels  (A,- ,  A  /  ),  (A  j  ,  A  l ) (A,1,  Ay ),  and  with  channel(Ay ,  Ak  )  having 

been  composed  earlier  from  channels  (Ak ,  A  f ),  (A  f ,  A | ) . (A^,  Ak)  (see  Figure  3.7).  Being 

dependent  channels,  channels  (A,-,  Ay)  and  (Ay,  Ak)  have  some  trust  requirements,  and  these 
trust  requirements  get  carried  over  to  channel(A,-,  Ak).  In  contrast,  component  channels  in 
independent  channel  composition  have  no  trust  requirements. 


Figure  3.7:  Dependent  channel  composition 
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The  channel  composition  mechanism  is  identical  in  independent  and  dependent  channel 
composition,  but  the  trust  requirements  are  different.  To  see  why,  let  Ak  send  its  key,  keyx,  to 
Aj  in  a  message  msgkj ,  and  let  Aj  forward  keyx  to  A-t  in  a  message  msgji  to  At .  Keyx  is  a  public 
key  in  the  PKE  scheme  and  a  single  key  in  the  SKE  scheme.  In  the  SKE  scheme  msgkj  and 
msgji  are  both  secret  messages  encrypted  using  the  algorithms  of  channels  ( Ak,Aj )  and  {Aj ,  At) 
respectively.  In  both  SKE  and  PKE  schemes,  when  A}  receives  msgkj ,  A}  authenticates  msgkj 
using  the  algorithm  of  channel^,  Ak),  and  when  A-t  receives  msgji,  Ai  authenticates  msgji 
using  the  algorithm  of  channel^,-,  Aj).  However,  the  validities  of  these  algorithms  are  con¬ 
tingent  upon  the  satisfaction  of  the  trust  requirements  of  the  respective  channels  with  which  the 
algorithms  are  associated.  Thus  the  validities  of  messages  msgkj  and  msgji,  and  the  validity  of 
key x  transmitted  in  these  messages,  are  dependent  upon  the  trust  requirements  of  the  component 
channels. 

Let  us  compute  exactly  the  effects  of  the  trust  requirements  of  the  component  channels  on 
the  validity  of  keyx.  The  trust  requirements  of  the  component  channels  can  in  general  be 
expressed  as  trust  predicates,  which  are  boolean  combinations  of  the  trusts  such  as  the  authenti¬ 
city  trust,  the  forwaiding  trust,  etc.  Given  the  truth  or  falsity  of  the  various  trusts  in  these 
boolean  combinations,  trust  predicates  can  be  evaluated  to  true  or  false.  The  satisfaction  of  a 
trust  predicate  associated  with  a  channel  is  necessary  and  sufficient  for  the  satisfaction  of  the 
authenticity  and  privacy  conditions  (given  in  Section  3.2)  of  the  channel.  Let  predkj,  predjk, 
predji  and  predij  denote  the  trust  requirements  of  channels  {Ak,  A j),  {Aj,Ak),  ( AJtAi )  and  (AX, 
Aj)  respectively  5.  The  effects  of  these  trust  predicates  on  channel^, ,  Ak)  are  computed  in  four 
steps: 

(1)  Ak  sends  its  key,  keyx  to  Aj  in  msgkj:  In  the  PKE  scheme,  there  are  no  trust-related  compu¬ 
tations  6  at  this  step  of  the  mechanism.  In  the  SKE  scheme,  msgkj  is  sent  as  a  secret  message, 
and  Ak  has  to  compute  the  set  setm X  of  all  agents  Am ,  that  can  decrypt  msgkj .  For  each  Am ,,  a 
key  user-possessor  trust  involving  A-t,  Aml  and  Ak  is  required.  Let  TKUP (A; ,  setmX,  Ak)  = 
[TfcupiAi,  AmX,  Ak)  |  Aml  e  setmX).  The  key  user-possessor  trust  requirement  is  expressed  as 
follows: 

Tkup (Ai •  setm i,  Ak)  =>  channel {At ,  Ak)  (3.7) 

However,  the  set  of  agents  that  can  decrypt  msgkj  depends  on  the  encryption  algorithm  of 
channel(A*.  Aj),  which  depends  on  predkj.  This  dependency  is  expressed  by  modifying  for¬ 
mula  (3.7)  to: 

predkj  =>  (Tfojp (At- ,Am,Ak)=>  channel (At ,  Ak))  (3.8) 

(2)  Aj  receives  msgkj:  In  both  PKE  and  SKE  schemes,  Aj  authenticates  msgkj  using  the  algo¬ 
rithm  of  channel^ ,  Ak ),  which  is  dependent  on  predjk .  This  dependency  in  the  PKE  scheme  is 
expressed  as: 


5  If  channel(At,  Aj),  channel^,-.  -4*),  charmel(A;,  A,)  and  channel(A;,  A;)  had  been  independent  channels, 
none  of  the  trust  predicates  predtj,  predj1t,  predji  and  predij  would  have  been  necessary,  which  is  equivalent  to  say¬ 
ing  that  the  trust  predicates  would  have  been  equal  to  the  boolean  constant  "TRUE”. 

6  By  trust-related  computation  at  an  agent  we  mean  an  encryption  or  decryption  operation  involving  the  key  of 
another  agent. 
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predjk  =>  channel (AitAk)  (3.9) 

In  the  SKE  scheme,  this  dependency  is  expressed  by  modifying  formula  (3.8)  to: 

predjk  =>  (predkj  =>  (TKUP  (A; .  setm x,  Ak)  =>  channel  (A, ,  Ak)))  (3.10) 

(3)  Aj  forwards  key*,  in  msgji  to  A(:  In  the  PKE  scheme  there  are  no  trust-related  computa¬ 
tions  at  this  step  of  the  mechanism.  In  the  SKE  scheme,  the  key  user-possessor  trust  is  required 
in  all  agents  Aml  that  can  decrypt  the  secret  message  msgji .  This  requirement  is  expressed  by 
modifying  formula  (3.10)  to: 

Tfcup 04; *  setm2,  Ak )  =>  (predjk  =>  ( predkj  =>  (TKVP{A^setmhAk)  => 

channel  (AitAk))))  (3.11) 

However,  the  set  of  agents  that  can  decrypt  msgji  depends  on  the  encryption  algorithm  of 
channel(A j ,  A,- ),  which  depends  on  predy .  Thus,  formula  (3.11)  gets  modified  to: 

predji  ->  (TKup(Ai,setm2,  Ak)  =>  (predjk  =>  (predkj  ->  (TKUp(Ai,setml,Ak) 

=>  channel(Ai,  A*)))))  (3.12) 

(4)  A,  receives  msgj,:  In  the  PKE  scheme,  the  authenticity  trust  is  required  of  A;.  This  require¬ 
ment  is  expressed  by  modifying  formula  (3.9)  to: 

Ta  ( Ai ,  Aj ,  Ak )  =>  (predjk  ->  channel  (At ,  Ak ))  (3- 13) 

However,  the  validity  of  the  determination  of  Aj  as  the  sender  of  msgji  is  contingent  upon  the 
validity  of  the  algorithm  of  channel(A, ,  A} )  that  A-t  uses  to  authenticate  msgji  •  final  depen¬ 
dency  in  the  PKE  scheme  is  expressed  by  modifying  formula  (3.13)  to: 

predij  =>  ( TA(Ai,Aj,Ak )  =>  (predjk  =>  channel (A{ ,  Ak)))  (3.14) 

In  the  SKE  scheme,  three  trusts  involving  At ,  Aj  and  Ak  are  required,  namely,  the  authenticity 
trust,  the  forwarding  trust  and  the  key  user-possessor  trust.  These  trust  requirements  are 
expressed  by  modifying  formula  (3.12)  to: 

(TA(Ai,Aj,Ak)  A  Tp(Ai,Aj,Ak )  A  TKUP(Ai,Aj,Ak ))  =>(predJl  => 


(Tkup  (A  ■  set  mi,  Ak)  ->(predjk  =>  (predkj  =>  (Tkup(Ai  ,  setml,  Ak)  => 


channel  (A,  ,  A* ))))))  (3.15) 

However,  the  identity  of  Aj  used  in  the  above  expression  is  authentic  only  if  the  algorithm  of 
channel(A,-,  A})  used  by  A,  to  authenticate  the  received  message  msgji,  is  vaiid-  Thus,  we 
obtain  the  following  final  expression  for  the  SKE  scheme: 

predij  =>  ((Ta  (Ai  ,  Aj ,  A*)  A  Tp (A,  ,Aj,Ak)  A  TKUP (A,-  ,A;,  Ak))  =>  (predji  => 

(Tjft//>  (A; ,  A^)  =>  (predjk  ='>  (Pre^kj  =->  C^KUP  (A ; ,  setm  x,  A^ )  — > 

channel  (At- ,  A*)))))))  (3.16) 


The  following  two  theorems  summarize  all  the  above  results  regarding  trust  requirements  in 
PKE-  and  SKE-based  dependent  channel  composition. 

Theorem  3.5:  Let  dependent  channels  (A,-,  A^)  and  (Aj,  Ak)  be  composed  to  form  channel^,-, 
Ak)  using  the  PKE  scheme.  Let  the  trust  predicates  associated  with  the  two  component  chan¬ 
nels  be predij  and predjk,  respectively.  The  trust  requirements  of  channel(A,-,  Ak)  are  expressed 
as  follows: 

pred^  =>  (Ta  ( A, ,  Aj  ,Ak)=>  ipredjk  =>  channel^ ,  Ak))) 

□ 


Theorem  3.6:  Let  dependent  channels  (A,,  Aj),  (Aj,Ak),  ( Aj,Ak )  and  (Ak ,  Ay)  be  composed  to 
form  (Ai ,  Ak)  using  the  SKE  scheme.  Let  the  trust  predicates  associated  with  the  four  com¬ 
ponent  channels  be  pred^ ,  predji ,  predjk  and  predkj ,  respectively.  Further,  let  the  sets  of  agents 
that  can  decrypt  secret  messages  on  channel(A*,  Aj)  and  channel(A;,  A,)  be  setmX  and  setm2, 
respectively.  The  trust  requirements  of  channel(A, ,  Ak)  are  expressed  as  follows: 

pred^  =>  (( TA(Ai ,  Aj,  Ak)  A  TF(Ai,  Aj,  Ak)  A  T^p (A, ,  Aj,  Ak))  =>  (predji  => 
(Tfcup (Ai ,  set„2,  Ak)  —>  (predjk  =>  (predkj  —>  (Tkup^Ai,  setmX,  Ak)  —  >  channel(A,-, 
A*))))))) 

□ 


Notice  that,  since  an  independent  channel  is  a  special  case  of  a  dependent  channel,  in 
which  the  trust  predicate  associated  with  the  channel  is  the  constant  “TRUE”,  a  composition 
involving  an  independent  channel  and  a  dependent  channel  is  a  special  case  of  dependent  chan¬ 
nel  composition,  and  hence  does  not  require  a  separate  analysis. 

We  conclude  this  section  with  the  observation  that,  as  channels  are  composed  to  form 
newer  channels,  the  trust  requirements  propagate.  With  each  channel  composition,  the  number 
of  trusts  required  for  the  composed  channel  increases  by  a  factor  of  two  for  the  PKE  scheme  and 
by  a  factor  of  four  for  the  SKE  scheme. 

3.7.  Composition  of  More  Than  Two  Channels 

A  distributed  system  provides  independent  channels  at  the  time  of  system  configuration. 
By  Theorem  3.1,  any  other  channel  in  the  system  must  be  composed  from  independent  or 
dependent  channels  using  a  sequence  of  two-channel  compositions.  Some  of  these  two-channel 
compositions  will  involve  only  independent  channels,  and  some  will  involve  dependent  chan¬ 
nels  that  are  results  of  earlier  two-channel  compositions  in  the  sequence.  We  now  illustrate  the 
analysis  of  trust  requirements  in  a  sequence  of  two-channel  compositions.  Notice  that,  after  a 
channel  has  been  established  by  composing  a  sequence  of  existing  channels,  the  messages  on 
the  channel  do  not  have  to  follow  the  same  route  as  the  channel  establishment  messages.  How¬ 
ever,  any  agent  that  has  the  channel  key  can  obtain  a  message  on  the  channel  by  eavesdropping 
on  whatever  route  the  message  takes.  Thus,  the  route  taken  by  the  messages  does  not  affect  the 
trust  requirements  of  the  channel. 

Figure  3.8  shows  a  sample  distributed  system,  in  which  there  are  agents  A,-,  Ayl,  Aj2,  Ay3 
and  Ak,  and  there  are  existing  independent  channels  (A,- ,  Ayl),  (A;1,  Aj2),  (. Aj2 ,  Aj3)  and  (Ay3, 
Ak).  Figure  3.8  can  be  thought  of  as  part  of  the  system’s  hierarchical  name  space 
[Lu86,TPR84],  in  which  A;1,  Aj2  and  A;3  are  name  servers  and  there  are  independent  channels 
between  each  node  and  its  parent. 
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Figure  3.8:  Composition  of  more  than  two  channels 


Suppose  a  new  channel,  (d,-,  d*),  is  to  be  established.  Several  sequences  of  two-channel 
compositions  can  be  used.  One  such  sequence  is: 

(1)  channels  (dy-2,  dy3)  and  (dy3,  Ak)  are  composed  to  form  channel  (dy2.  Ak ), 

(2)  channels  (dyl,  dy2)  and  (dy2 ,  Ak )  are  composed  to  form  channel(dy  j,  Ak),  and 

(3)  channels  (Aif  A ;1)  and  (dyl,  Ak)  are  composed  to  form  channel(d, ,  A k). 

The  intermediate  channels,  channel  (dy2,  >1*)  and  channeled;  u  Ak),  are  both  dependent  channels. 
In  the  following  two  sub-sections,  we  analyze  the  trust  requirements  in  the  above  sequence  of 
channel  compositions  using  PKE  and  SKE  schemes. 

3.7,1.  Sequence  of  PKE-based  Channel  Compositions 

In  the  PKE  scheme,  each  of  the  three  compositions  in  the  sequence  requires  an  authenti¬ 
city  trust,  and  hence  channeled, ,  Ak)  requires  a  conjunction  of  all  the  three  authenticity  trusts: 

Ta(Aj2,  dy3,  Ak)  A  Ta(AjX,  Aj2,  Ak)  A  TA (d,- ,  AjX,  Ak)  (3.17) 


3.7.2.  Sequence  of  SKE-based  Channel  Compositions 

SKE-based  two-channel  composition  requires  bidirectional  component  channels,  hence, 
all  the  independent  channels  must  be  bidirectional,  and  all  the  intermediate  dependent  channels 
must  be  established  in  both  directions.  Thus,  establishing  channeled,- ,  Ak)  in  the  system  of  Fig¬ 
ure  3.8  consists  of  a  sequence  of  five  compositions.  Thus,  five  authenticity  trusts  are  required: 

Ta  (Aj2,  Ajj,  Ak)  A  Ta  (Ak ,  d;-3,  d;2)  A  TA  (AjX,  Aj2,  Ak)  A  T A  (Ak ,  Aj2,  d;  ])  A 


TA(Ai,Aji,Ak)  (3.18) 

Each  of  the  five  channel  compositions  also  gives  rise  to  a  forwarding  trust,  resulting  in  the  fol¬ 
lowing  predicate  of  forwarding  trusts: 

7V(d;-2,  dy3,  Ak)  A  TF(Ak,Aj3,  A]2)  A  Tf(AjX,  A  j2,  Ak)  A  TF(Ak ,  Aj2,  An)  A 
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TF(Ai,Aji,Ak)  (3.19) 

Evaluating  the  key  user-possessor  trust  requirements  consists  of  evaluating  the  identities  of 
agents  other  than  At  and  Ak  who  may  have  obtained  the  keys  of  the  five  newly  established 
r.hannp.ls  when  they  participated  in  the  sequence  of  channel  compositions  leading  to  the  estab¬ 
lishment  of  the  new  channels.  Let  us  assume  that  the  key  of  each  independent  channel  is  known 
only  to  the  two  ends  of  the  independent  channel.  In  the  first  two  compositions,  the  keys  of 
newly  established  channels  (Ay2,  Ak)  and  (Ak ,  Ay2)  are  known  only  to  Ay3  in  addition  to  Aj2  and 
Ak.  Thus,  the  first  two  compositions  require  two  key  user-possessor  trusts,  one  for  each  compo¬ 
sition: 

Tfojp  (Aj2,  Aji,  Ak)  A  TKup  (Ak ,  Ay3,  Ay2)  (3.20) 

In  the  next  two  compositions,  channels  (Ayl,  Ak)  and  (Ak,  Ayl)  are  established  from  channels 
( Ajx ,  Ay2)  and  (Ay2,  Ak).  In  these  compositions,  not  only  Ay2,  but  also  Ay3  can  obtain  the  keys 
of  channel(Ay  x,  Ak)  and  channel(A* ,  Ay  t).  Thus,  the  key  user-possessor  trust  requirements  prol¬ 
iferate,  and  the  key  user-possessor  trust  requirements  for  the  third  and  the  fourth  compositions 
are: 

Tfojp (Aji,  Aj2,  Ak)  A  T,ajP (Aji,  Aji,  Ak )  A  TKUP (Ak,Aj2,  Aj  t)  A 
TKUp(Ak,Aj2,Aji )  (3.21) 

In  the  final  composition,  channeled ,  Ak)  is  established  from  channels  (Ait  Ayl)  and  (Ayl,  Ak). 
Agents  Aji,  Aj2  and  Ay3  can  all  obtain  the  key  of  channel  (A  ,■ ,  Ak).  Thus  the  key  user-possessor 
trust  requirements  for  the  final  composition  are: 

Tkup  (Ai ,  Aj !,  Ak)  A  Tkup (At ,  Aj2,  Ak)  A  TKUP  (At ,  Ay3,  Ak)  (3.22) 

The  key  user-possessor  trust  requirement  for  the  entire  sequence  of  compositions  is  a  conjunc¬ 
tion  of  the  three  formulae  (3.20),  (3.21),  and  (3.22). 

It  is  interesting  to  observe  that  the  trust  expressions  are  not  symmetric  in  A}  x,Aj2  and  Ay3. 
Hence,  different  channel  composition  sequences,  even  when  they  use  the  same  set  of  indepen¬ 
dent  channels  and  establish  the  same  final  channel,  may  require  different  trust  relationships. 

3.8.  Differences  between  PKE  and  SKE  Schemes 

It  is  clear  from  the  previous  sections  that  channel  compositions  using  PKE  and  SKE 
schemes  require  different  trust  relationships.  In  fact,  the  PKE  scheme  requires  only  a  small  sub¬ 
set  of  the  trusts  required  by  the  SKE  scheme. 

Using  informal  arguments,  Popek  and  Kline  [K1P79]  claim  that  PKE  and  SKE  schemes 
have  identical  trust  requirements.  Because  of  their  informal  approach  to  trust,  Popek  and  Kline 
were  not  able  to  see  differences  in  trust  requirements  between  the  PKE  and  SKE  schemes,  and 
hence  a  number  of  advantages  of  the  PKE  scheme  were  not  identified.  To  compare  their 
approach  with  ours,  we  briefly  describe  Popek  and  Kline’s  approach  to  determining  trust 
requirements  in  PKE  and  SKE-based  channel  composition  mechanisms. 

Consider  the  composition  of  channels  (A,-,  Ay)  and  (Aj,Ak)  to  form  channel(A,-,  Ak).  In 
the  PKE  scheme,  each  channel  requires  a  (public-key,  private-key)  pair.  In  particular,  Aj  must 
possess  its  private  key  and  Ak  s  public  key.  A}  must  keep  its  private  key  secret.  For 
channeKA, ,  Ak )  to  be  established,  A y  forwards  Ak ’s  public  key  to  A,- .  In  the  SKE  scheme,  each 
channel  requires  a  single  key.  Channels  (A,-,  Ay)  and  (Aj,Ak)  require  Ay  to  possess  their  single 
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keys.  During  the  establishment  of  channel^,- ,  Ak),  Aj  may  come  to  know  the  single  key  of  that 
channel  (since  Aj  is  involved  in  forwarding  it).  Ay  has  to  keep  all  the  single  keys  in  its  posses¬ 
sion  secret  However,  notice  that  Aj  can  encrypt  all  the  single  keys  in  its  possession  with 
another  key  keymtraU  and  keep  keymeraU  secret.  Since  in  the  PKE  scheme  Aj  had  to  keep  its 
own  private  key  secret  anyway,  one  can  conclude  that  in  both  PKE  and  SKE  schemes  A}  is 
trusted  to  keep  one  key  secret.  Thus,  the  trust  requirements  in  both  the  PKE  and  SKE  schemes 
are  the  same. 

In  the  approach  described  above,  Popek  and  Kline  are  using  the  notion  of  trust  to  represent 
the  secret-keeping  behavior  of  an  agent,  and  ignore  all  other  aspects  of  agent  behavior.  This 
lack  of  consideration  of  all  the  inherent  assumptions  in  PKE  and  SKE -based  channel  composi¬ 
tion  mechanisms  is  a  major  drawback  of  their  approach,  and  is  a  consequence  of  its  informality. 
Assumptions  about  keeping  secrets  are  just  one  kind  of  assumptions  necessary  in  channel  com¬ 
position  mechanisms.  For  instance,  in  the  SKE-based  channel  composition  scenario,  Aj  is 
assumed  not  only  to  keep  the  single  key  of  channel  (A; ,  Ak)  secret,  but  also  not  to  use  that  single 
key  either  for  masquerading  as  Ak  or  for  decrypting  a  secret  message  on  channel(A, ,  Ak).  It 
should  be  noted  that,  in  our  formal  approach  to  trust,  we  capture  all  these  assumptions. 

Even  with  regard  to  assumptions  about  keeping  secrets,  there  are  three  major  differences 
between  the  two  approaches.  The  differences  are  best  explained  with  reference  to  the  composi¬ 
tion  of  channels  (A, ,  Aj )  and  (Aj,  Ak). 

(1)  In  our  approach  (unlike  Popek  and  Kline’s),  there  is  no  trust  requirement  involving  an 
agent  Ay  if  Aj  has  to  keep  its  own  private  key  secret.  Trust  requirements  involving  Aj 
arise  only  when  A }  has  to  keep  the  key  of  some  other  agent  or  channel  secret.  To  illus¬ 
trate  this  difference,  notice  that,  in  the  PKE  scheme,  if  Aj ’s  private  key  gets  compromised 
after  channel(A,-  ,Ak)  has  been  established,  only  Ay  needs  to  change  its  private  key,  and  A, 
and  Ak  are  unaffected.  In  the  SKE  scheme.  Ay  has  to  keep  the  key  of  channel  (A,  ,  Ak) 
secret,  and  if  this  key  gets  compromised.  A,  and  Ak  have  to  re-establish  channel  (A,-,  Ak) 
whereas  Ay  is  unaffected.  Popek  and  Kline’s  approach  does  not  yield  these  distinctions. 

(2)  Unlike  Popek  and  Kline’s  approach,  in  our  approach  two  trusts  are  different  if  the  security 
losses  due  to  their  being  ill  posed  are  different.  To  see  this  point,  notice  that,  in  the  PKE 
scheme,  if  Ay ’s  private  key  gets  compromised  after  channel(A,- ,  Ak )  has  been  established, 
security  losses  may  involve  resources  owned  by  Ay.  In  the  SKE  scheme,  suppose  Ay 
encrypts  all  the  single  keys  in  its  possession  with  a  key  keyoverali ,  and  keeps  keyoverali 
secret.  Security  losses  resulting  from  a  leak  of  key^^u  may  involve  resources  owned  by 
Ai ,  Ay ,  and  Ak .  Thus,  the  security  losses  due  to  a  leak  of  Ay ’s  private  storage  are  different 
in  the  PKE  and  SKE  schemes,  and  hence,  in  our  approach,  their  trust  requirements  are 
vastly  different.  Popek  and  Kline’s  approach  does  not  make  these  distinctions,  as  is  clear 
from  the  fact  that  their  approach  equates  the  trust  concerned  with  keeping  Ay ’s  private  key 
secret  with  that  with  keeping  keyoveraU  secret. 

(3)  Popek  and  Kline’s  approach,  unlike  ours,  captures  only  the  steady  state  assumptions  with 
regard  to  keeping  secrets.  Thus,  in  SKE-based  channel  composition,  even  though  Ay  can 
store  all  the  single  keys. encrypted  with  another  key  keyoverau ,  there  is  a  finite  time  period 
preceding  the  encryption  by  keyoveran  during  which  more  than  one  single  key  has  to  be 
kept  secret 

To  further  see  how  our  formal  approach  yields  differences  between  PKE  and  SKE  schemes, 
notice  that,  in  our  approach,  the  SKE  scheme  requires  four  more  trusts  than  the  PKE  scheme, 
namely,  the  forwarding  trust,  the  message  privacy  trust,  the  trust  against  masquerading,  and  the 
key  privacy  trust.  As  we  will  now  show,  each  of  these  additional  trusts  gives  rise  to  important 
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differences  between  PKE  and  SKE  schemes.  The  usual  channel  composition  scenario  involving 
A; ,  Aj  and  Ak  is  used  throughout 

3.8.1.  Differences  Arising  from  the  Forwarding  Trust 

Consider  the  SKE  channel  composition  scenario  depicted  in  Figure  3.6.  Suppose  that  Am  j 
obtained  Ak  ’s  key  by  decrypting  msgkj .  A  security  attack  on  Am  j  can  make  the  key  available  to 
the  attacker,  who  can  then  compromise  the  security  of  channel(A,- ,  Ak ).  Thus,  A,-  must  con¬ 
stantly  monitor  the  security  situation  at  Aml,  and  A,-  must  invalidate  channelCA,-,  Ak)  the 
moment  it  detects  a  security  attack  on  Am  j.  For  A,-  to  take  these  actions,  A,-  must  know  the 
identity  of  Aml,  which  is  what  is  exactly  abstracted  by  the  forwarding  trust.  In  contrast,  in  the 
PKE  scheme,  Am  \  can  only  obtain  the  public  key  of  Ak ,  and  an  attack  on  Am  j  may  reveal  Ak ’s 
public  key,  but  that  does  not  pose  any  security  danger  to  channelCA,- ,  Ak). 

3.8.2.  Differences  Arising  from  the  Message  Privacy  Trust 

In  the  SKE  scheme,  Ay  can  decrypt  secret  messages  sent  by  A;  on  channelCA,-,  Ak).  Sup¬ 
pose  there  is  a  security  attack  on  Aj  after  channelCA,-,  Ak)  has  been  established.  Any  secret 
message  on  channel(A,- ,  Ak)  that  Aj  might  possess  becomes  available  to  the  attacker.  In  the 
event  of  a  similar  attack  in  the  PKE  scheme,  Ay ,  since  it  does  not  possess  Ak ’s  private  key,  can¬ 
not  decrypt  secret  messages  on  channelCA,-,  Ak),  and  hence  secret  messages  on  channel(A,-,  Ak) 
remain  unavailable  to  Aj ’s  attacker. 

3.8.3.  Differences  Arising  from  the  Trust  Against  Masquerading 

In  the  SKE  scheme,  Ay  may  have  the  key  of  channel(A; ,  Ak)  in  its  possession.  Thus,  Ay 
can  send  messages  masquerading  as  Ak  on  channel(A,,  Ak),  In  the  PKE  scheme,  Ay,  since  it 
does  not  possess  A*  ’s  private  key,  cannot  masquerade  as  Ak  on  channelCA,- ,  Ak). 

3.8.4.  Differences  Due  to  the  Key  Privacy  Trust 

In  the  SKE,  Ay  has  the  single  key  of  channelCA,-,  Ak).  Suppose  there  is  a  security  attack 
on  Ay  after  channelCA,-,  Ak)  has  been  established.  Furthermore,  suppose  the  attacker  has  kept 
track  of  all  encrypted  messages  exchanged  on  channelCA,-,  Ak).  Once  the  attacker  obtains  the 
key  from  Ay ,  all  past,  present  and  future  secret  messages  on  channelCA, ,  Ak)  may  become  avail¬ 
able  to  the  attacker.  In  the  event  of  a  similar  attack  in  the  PKE  case,  since  A y  does  not  possess 
the  private  key  of  Ak,  past,  present  and  future  secret  messages  on  the  channel  remain  unavail¬ 
able  to  the  attacker.  This  difference  has  a  significant  impact  on  key  caching  and  can  be  illus¬ 
trated  as  follows.  Consider  Ak  s  key  which  is  used  as  the  key  of  channelCA,  ,  Ak).  When  key 
caching  is  used,  at  different  moments  different  agents  may  cache  Ak ’s  key.  Some  of  these 
agents  may  not  have  obtained  Ak ’s  key  for  the  purpose  of  encrypting  messages  to  A*,  but  may 
have  obtained  it  together  with  some  other  keys  from  the  name  server  for  the  sole  purpose  of 
caching  them.  In  the  SKE  scheme,  since  any  agent  that  may  have  cached  Ak ’s  key  can  decrypt 
all  past,  present,  and  future  messages  on  channel(A, ,  Ak),  A,-  must  place  key  user-possessor  trust 
in  every  agent  at  which  Ak ’s  key  may  have  been  cached  at  some  instant  in  time,  even  when 
channelCA,-,  Ak)  is  no  longer  in  use.  Such  enormous  trust  requirements  make  caching  highly 
unattractive.  In  contrast,  in  the  PKE  scheme,  caching  of  public  keys  can  be  used  without  limita¬ 
tions.  Note  that,  in  distributed  systems,  caching  in  general  is  highly  desirable  from  the 
viewpoint  of  performance  [Ter], 
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3.8.5.  Differences  with  Regard  to  Replication 

We  will  now  illustrate  that  replication  makes  trusts  easier  to  satisfy  in  the  PKE  scheme, 
but  makes  trusts  harder  to  satisfy  in  the  SKE  scheme. 

Consider  the  scenario  shown  in  Figure  3.9,  in  which  there  are  independent  channels  (ibm , 
ibm-j ),  ( ibm-j ,  jap),  (ibm,  sony-us),  and  ( sony-us ,  jap).  Suppose  a  new  channel  called 
channel A  is  established  between  ibm  and  jap  by  composing  (ibm ,  ibm-j )  and  (ibm-j ,  jap). 
In  PKE-based  composition,  ibm  obtains  a  key,  keyA ,  which  is  guaranteed  to  be  the  public  key 
of  jap  if  the  trust  requirement  (obtained  using  Theorem  3.3)  TA(ibm,  ibm—j,  jap )  for 
channel A  is  satisfied.  In  SKE-based  composition,  ibm  obtains  a  key,  keyA ,  which  is  guaranteed 
to  be  the  single  key  of  jap  if  the  trust  requirement  (obtained  using  Theorem  3.4)  TA(ibm, 
ibm -j ,  jap )  A  TF (ibm ,  ibm-j ,  jap)  A  TKUP (ibm ,  ibm -j ,  jap )  for  channel A  is  satisfied. 

Suppose  a  second  channel,  channel B ,  is  established  between  ibm  and  jap  by  composing 
(ibm,  sony-us)  and  (sony-us,  jap).  In  PKE-based  composition,  ibm  obtains  a  key,  keyB, 
which  is  guaranteed  to  be  the  public  key  of  jap  if  the  trust  requirement  TA  (ibm ,  sony  -us ,  jap ) 
for  channels  is  satisfied.  In  SKE-based  composition,  ibm  obtains  a  key,  keyB,  which  is 
guaranteed  to  be  the  single  key  of  jap  if  the  trust  requirement  TA(ibm,  sony-us,  jap)  A 
TF(ibm ,  sony-us  Jap)  A  TKUP (ibm ,  sony-us ,  jap )  for  channels  is  satisfied. 

Suppose  ibm  compares  the  keys,  keyA  and  keyB ,  and  uses  either  one  of  them  for 
channel(i6m ,  jap)  only  if  both  are  identical.  In  the  PKE  scheme,  if  at  least  one  of  ibm-j  or 
sony-us  returns  the  valid  public  key  of  jap ,  the  security  of  channel(i6m ,  jap)  is  guaranteed. 
Thus,  the  trust  relationship  required  for  channel(/6m ,  jap )  is  a  disjunction  of  the  trust  relation¬ 
ships  for  channelA  and  channels  (also  see  [VeA87]): 


Figure  3.9:  Replication  of  channels 
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Ta  ( ibm ,  ibm  J ,  jap )  V  TA  ( ibm ,  sonyjis ,  jap )  (3.23) 

Thus,  the  trust  requirements  decrease  with  replication  in  the  PKE  scheme. 

In  the  SKE  scheme,  even  though  it  is  necessary  that  at  least  one  of  ibm  J  or  sonyjis 
return  the  valid  single  key  of  jap ,  both  ibm  J  and  sony_us  may  possess  the  single  key  of  jap , 
and  the  forwarding  and  key  user-possessor  trusts  are  required  of  both  agents.  The  forwarding 
and  key  user-possessor  trusts  requirements  are: 

T F  ( ibm ,  ibm J ,  jap )  A  TKUP  ( ibm ,  ibm  J ,  jap )  A  TF  ( ibm ,  sonyjis ,  jap )  A 

T KVP  ( ibm ,  sonyjus ,  jap  )  (3 .24) 

This  shows  that  the  forwarding  and  key  user-possessor  trusts  increase  with  replication  in  SKE 
scheme.  Thus,  from  the  viewpoint  of  security,  replication  is  advantageous  in  PKE  systems  but 
disadvantageous  in  SKE  systems. 

In  conclusion,  our  formal  analysis  has  revealed  several  differences  between  PKE  and  SKE 
schemes,  and  these  differences  make  PKE  schemes  much  more  attractive  than  SKE  schemes  in 
large  distributed  systems. 

3.9.  Conclusion 

Trust  arises  primarily  in  establishing  channels  for  secure  communication.  The  only  way 
to  establish  a  new  channel  is  by  composing  a  sequence  of  existing  adjacent  channels.  There  are 
two  kinds  of  channels:  independent  channels,  which  have  no  trust  requirements  and  are  pro¬ 
vided  by  the  system  at  configuration  time,  and  dependent  channels,  which  are  composed  from 
independent  channels  and  have  trust  requirements.  Channel  composition  mechanisms  are  com¬ 
monly  based  on  either  public  key  encryption  (PKE)  or  single  key  encryption  (SKE).  PKE- 
based  channel  composition  requires  what  we  have  called  authenticity  trusts,  which  are  functions 
of  three  agents.  SKE-based  channel  composition  has  much  larger  trust  requirements  than 
PKE-based  channel  composition.  The  differences  in  trust  requirements  of  PKE  and  SKE-based 
channel  compositions  translate  to  significant  advantages  of  PKE  over  SKE-based  channel  com¬ 
position  with  respect  to  replication,  caching,  permanence  of  trust  requirements,  and  so  on.  Dif¬ 
ferent  sequences  of  compositions,  even  though  they  use  the  same  set  of  independent  channels 
and  establish  the  same  final  channel,  have  different  trust  requirements.  Thus,  our  analyses  pro¬ 
vide  insight  into  the  basic  structure  and  limitations  of  mechanisms  with  regard  to  their  trust 
requirements. 


CHAPTER  4 


SYNTHESIS 


We  show  that  it  is  desirable  to  have  a  tree  of  independent  channels  in  a  distributed  system, 
and  that  this  tree  represents  the  global  name  space  of  the  system.  To  establish  a  channel 
between  two  agents  in  a  name  space,  there  are  two  alternatives  for  the  order  in  which  the 
independent  channels  in  the  path  between  the  two  agents  can  be  composed,  and  they  are  called 
iterative  and  recursive .  These  two  channel  composition  orders  have  different  trust  require¬ 
ments  and  exhibit  interesting  duality  properties.  We  develop  algorithms  for  synthesizing  name 
spaces  so  that,  given  a  channel  composition  order  and  the  actual  trusts  of  all  agents,  channel 
composition  between  any  two  agents  requires  only  a  subset  of  the  given  set  of  trusts.  The  given 
trusts  are  in  general  functions  of  three  agents,  but  they  can  also  be  functions  of  two  agents,  in 
which  case  the  algorithms  are  simpler.  We  derive  some  NP-completeness  results  with  respect 
to  putting  bounds  on  the  size  of  the  database  of  encryption  keys  stored  at  each  node  in  a  name 
space.  Sample  runs  of  the  algorithms  show  that  small  differences  in  trust  relationships  can 
cause  substantial  differences  in  the  resulting  name  spaces. 

4.1.  Introduction 

Agents  sharing  a  distributed  system  have  trust  relationships  among  themselves.  One  of 
the  most  important  applications  of  a  formal  theory  of  trust  consists  of  synthesizing  a  distributed 
system  that  satisfies  the  trust  relationships  of  the  agents  in  the  system.  The  synthesis  of  a  sys¬ 
tem  from  trust  specifications  was  in  fact  the  eventual  goal  with  which  we  began  our  formal 
study  of  trust. 

In  this  chapter,  we  show  how  a  distributed  system’s  name  space  determines  the  trust 
requirements  needed  for  channel  composition  between  every  pair  of  agents,  and  we  develop 
algorithms  for  synthesizing  a  name  space  so  as  to  satisfy  a  given  set  of  trust  specifications  of 
agents.  Section  4.2  shows  the  association  between  a  name  space  and  a  tree  of  independent 
channels.  In  Section  4.3,  we  show  that  there  are  two  alternatives  for  the  order  in  which  the 
channels  between  two  agents  in  a  name  space  can  be  composed,  which  are  called  iterative  and 
recursive ,  and  examine  their  trust  properties.  In  Sections  4.4-4.9,  we  develop  polynomial-time 
algorithms  for  synthesizing  name  spaces  given  actual  trusts  of  ail  agents.  Each  node  in  the 
name  space  stores  a  database  with  the  encryption  keys  of  all  its  children,  and  it  is  desirable  to 
put  bounds  on  the  size  of  this  database.  We  derive  some  NP-completeness  results  in  this  regard. 
The  polynomial-time  name  space  synthesis  algorithms  to  be  described  in  Sections  4.4-4.9  have 
been  implemented  and  experimented  with.  Section  4.10  presents  some  interesting  sample  runs 
of  these  algorithms,  and  finally,  Section  4.11  concludes  the  chapter. 

4.2.  Necessity  of  Fast  Channel  Establishment  Procedures  in  a  VLDS 

Any  two  agents  in  a  distributed  system  must  be  able  to  communicate  securely  (see  Figure 
4.1).  One  way  to  achieve  this  is  to  have  an  independent  channel  between  each  pair  of  agents  in 
the  system  (see  Figure  4.2).  In  such  a  system,  no  new  channels  need  be  established,  and  hence 
there  are  no  trust  requirements  for  communication.  However,  there  are  several  disadvantages  in 
having  independent  channels  between  all  pairs  of  agents.  Since  independent  channels  have  to 
be  established  using  external  mechanisms,  there  would  be  0(n2)  channels  that  need  to  be 
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established  using  such  mechanisms.  External  mechanisms,  e.g.,  trusted  couriers,  are  expensive, 
extremely  slow  and  cumbersome.  Since  having  an  independent  channel  to  an  agent  requires 
storing  die  agent’s  encryption  keys,  each  agent  would  have  to  store  the  entire  database  of 
encryption  keys  of  all  other  agents. 

Such  a  scheme  has  numerous  performance  disadvantages  in  a  large  distributed  system. 
For  example,  when  an  agent  changes  its  keys,  the  agent  has  to  inform  every  other  agent  of  the 
change  through  external  mechanisms.  When  a  new  agent  joins  a  distributed  system,  the  new 
agent  has  to  choose  n  different  channel  keys  and  exchange  its  keys  with  every  other  agent  in  the 
system  through  external  mechanisms.  In  summary,  in  a  large  distributed  system,  it  is  not  desir¬ 
able  to  have  a  independent  channel  between  each  pair  of  agents.  The  number  of  independent 
channels  must  be  minimized. 

Given  an  initial  set  of  independent  channels  in  a  distributed  system,  any  two  agents  must 
be  able  to  establish  a  channel  by  composing  the  independent  channels  and  any  existing  depen¬ 
dent  channels  between  them.  Therefore,  if  we  represent  the  agents  as  nodes  and  independent 
channels  as  edges  in  a  graph,  the  initial  graph  of  independent  channels  must  be  connected. 

Let  us  suppose  that  we  have  a  connected  graph  of  independent  channels.  It  was  shown  in 
the  previous  chapter  that  the  trust  relationships  required  in  establishing  a  channel  between  two 
agents  is  determined  by  both  the  independent  channels  between  the  two  agents  and  the  order  of 
compositions  of  these  independent  channels.  Thus,  to  establish  a  channel  to  an  agent  Ibaraki , 
an  agent  such  as  Alice  would  have  to  keep  a  database  of  its  trust  relationships,  and  find  a  path  to 
Ibaraki  in  the  graph  of  independent  channels  such  that  the  trust  relationships  in  composing  the 
independent  channels  in  the  path  in  some  order  are  present  in  the  database.  The  channel  estab¬ 
lishment  procedure  would  involve  trying  out  a  sequence  of  independent  channels,  backtracking 
if  either  no  path  is  found  beyond  a  node  in  the  graph  or  a  path  is  found  but  the  path  requires 


Figure  4.1:  Agents  in  a  sample  VLDS 
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trust  relationships  not  present  in  its  database,  and  so  on  (see  Figure  4.3).  The  worst-case  perfor¬ 
mance  of  such  a  channel  establishment  procedure  would  be  intolerable. 

The  goal  of  this  chapter  is  to  investigate  whether,  given  the  trust  relationships  of  all  agents 
at  system  configuration  time,  we  can  synthesize  a  graph  of  independent  channels  so  that, 
between  any  two  agents  there  is  a  path  in  the  graph,  and  composition  of  the  independent  chan¬ 
nels  in  the  path  in  a  pre-specified  order  requires  only  a  subset  of  the  given  set  of  trust  relation¬ 
ships.  Thus,  an  agent  would  not  have  to  keep  a  database  of  its  trust  relationships,  and  at  chan¬ 
nel  establishment  time  the  agent  would  not  have  to  check  either  the  existence  of  a  path  or  the 
satisfiability  of  a  path’s  trust  requirements.  Consequently,  the  channel  establishment  procedure 
would  be  much  faster. 

What  kind  of  a  graph  of  independent  channels  should  we  synthesize  ?  It  is  desirable  to 
minimize  the  number  of  independent  channels.  A  connected  graph  with  a  minimum  number  of 
edges  is  a  tree.  Thus,  our  goal  is  to  synthesize  a  tree  of  independent  channels.  We  will  later 
examine  the  kinds  of  trees  that  are  more  preferable  than  others. 

In  a  tree  of  independent  channels  connecting  n  nodes,  there  are  exactly  n-l  independent 
channels  yielding  an  average  of  one  independent  channel  per  agent,  and  there  is  a  unique  path 
between  each  pair  of  agents.  An  agent  in  the  tree  must  be  able  to  determine  the  unique  path 


Figure  4.3:  Inefficient  channel  establishment  mechanism.  In  the  worst  case,  Alice  back¬ 
tracks  twice  while  finding  a  path  to  Ibaraki. 


between  itself  and  any  other  agent  without  searching  the  entire  tree.  For  instance,  in  Figure  4.3, 
to  establish  a  channel  to  ibaraki ,  it  should  not  be  necessary  for  alice  to  establish  a  channel  to 
ibm ,  backtrack  after  finding  that  there  is  no  further  path  from  ibm  towards  ibaraki ,  then  estab¬ 
lish  a  path  to  ibm-j ,  again  backtrack  since  there  is  no  further  path  from  ibm-j  to  ibaraki ,  and 
then  establish  a  path  to  ibaraki  through  jap  .  In  other  words,  given  the  names  of  two  agents,  it 
should  be  possible  to  write  down  the  independent  channels  between  them  without  having  to 
traverse  the  entire  tree. 

To  accomplish  a  fast  translation  from  the  names  of  two  agents  to  the  independent  channels 
between  them,  we  encode  the  independent  channels  into  the  agents’  names.  Specifically,  one  of 
the  agents  in  the  tree  is  designated  as  the  root  of  the  tree.  This  agent  acts  as  the  reference  point 
for  naming  the  nodes  of  the  tree.  The  name  of  an  agent  in  the  tree,  referred  to  as  its  pathname , 
encodes  the  independent  channels  from  the  root  to  the  agent.  Given  the  pathnames  of  two 
agents,  one  can  easily  write  down  the  sequence  of  independent  channels  in  the  path  between 
them.  Figure  4.4  illustrates  this  mechanism.  In  the  tree  shown  in  the  figure,  the  agent  named 
world  is  designated  as  the  root.  Each  pathname  begins  with  a  which  denotes  the  root  node 
(world).  The  pathname  of  Alice  is  /usalibmJalmJ alice  and  that  of  Ibaraki  is  /jap/ibm-j/ibaraki. 
Given  the  pathnames  iusalibml aim! alice  and  /jap/ibm-j/ibaraki,  the  independent  channels 
between  Alice  and  Ibaraki  are  (alice,  aim),  (aim,  ibm),  (ibm,  usa),  (usa,  root),  (root,  jap), 
(jap ,  ibm  J ),  and  ( ibm  J ,  ibaraki ).  Since  the  tree  of  independent  channels  determines  the 
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pathnames  of  agents,  the  tree  is  referred  to  as  a  name  space  of  the  distributed  system.  Each 
node  in  the  name  space  has  independent  channels  to  its  children  and  to  its  parent.  If  indepen¬ 
dent  channels  are  PKE-based,  each  node  keeps  a  database  of  public  keys  of  its  children  and  its 
parent. 

In  practice,  there  are  several  factors  other  than  security,  such  as  administrative  and  geo¬ 
graphical  factors,  that  must  be  considered  in  designing  a  name  space  for  a  distributed  system.  A 
name  space  that  is  optimal  from  the  viewpoint  of  security  may  not  be  so  from  the  viewpoint  of 
the  other  factors.  As  explained  in  Section  1.2,  having  two  separate  name  spaces,  one  for  secu¬ 
rity  purposes  and  a  second  one  for  other  purposes,  has  significant  performance  drawbacks. 
Thus,  in  practice,  it  is  desirable  to  design  a  single  name  space,  and  the  design  must  be  carried 
out  as  a  compromise  among  several  objectives,  both  security  and  non-security  oriented. 

It  should  be  noted  that  a  tree-structured  name  space  does  not  imply  a  hierarchical  trust 
pattern.  To  see  why,  notice  that  a  tree  is  hierarchical  with  respect  to  a  property  P  if  in  the  tree, 
whenever  P  holds  for  a  node,  P  also  holds  for  the  node’s  parent.  In  a  tree-structured  name 
space,  the  trust  relationships  of  a  node  need  not  form  a  subset  of  the  trust  relationships  of  the 
node’s  parent.  The  number  of  trust  relationships  of  a  node  can  be  much  larger  than  that  of  the 
node’s  parent. 

Figure  4.5  illustrates  the  non-hierarchical  nature  of  a  name  space  tree.  Let  A  be  a  child  of 
B ,  and  M  be  a  node  that  is  not  a  descendent  of  B.  B  is  on  the  path  from  A  to  each  of  A ’s  non- 
descendents.  Thus,  A  requires  a  trust  relationship  involving  B  for  establishing  a  channel  to 
each  of  A ’s  non-descendents.  C  is  on  the  path  from  A  to  each  of  B ’s  non-descendents.  Thus, 
A  requires  a  trust  relationship  involving  C  for  establishing  a  channel  to  each  of  B ’s  non- 
descendents.  The  set  of  nodes  that  are  non-descendents  of  B  is  a  subset  of  the  set  of  A ’s  non- 
descendents.  Thus,  there  are  more  trust  relationships  involving  A  and  B  than  those  involving  A 


root  node  ("I") 


lusal  ibm/almJalice 

Figure  4.4:  Fast  path  finding  mechanism 
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and  C .  Since  A  is  a  child  of  B ,  and  the  number  of  B  ’s  children  can  be  arbitrarily  large,  there 
can  be  more  trust  relationships  involving  B  than  C ,  even  though  C  is  B ’s  parent  in  the  tree. 
None  of  these  trust  relationships  involve  A  's  descendents,  and,  using  similar  arguments,  it  can 
be  shown  that  a  node  in  the  tree  need  not  fully  trust  all  its  descendents.  Thus,  there  is  no 
hierarchical  pattern  with  respect  to  trust  relationships  in  a  tree-structured  name  space.  This  can 
also  be  inferred  from  the  observation  that  the  selection  of  the  root,  which  determines  the 
parent-child  relationships  in  the  tree,  can  be  arbitrary:  any  node  can  be  designated  as  the  root  of 
the  tree.  The  root  just  acts  as  the  reference  node  for  naming  all  other  nodes. 

4J.  Channel  Composition  Algorithms 

Suppose  that  a  distributed  system  has  a  name  space  such  as  the  one  shown  in  Figure  4.4. 
Given  the  names  of  two  agents,  say  Alice  and  Ibaraki,  we  can  write  down  the  independent  chan¬ 
nels  in  the  path  between  them.  There  are  two  possibilities  for  the  order  in  which  these  indepen¬ 
dent  channels  can  be  composed  to  form  the  required  channel  between  Alice  and  Ibaraki,  called 
iterative  and  recursive  channel  composition,  respectively.  These  two  channel  composition 
orders  are  illustrated  next. 

4.3.1.  Iterative  Channel  Composition 

Consider  the  case  of  channel  establishment  from  Alice  to  Ibaraki  in  the  name  space  of 
Figure  4.4.  The  iterative  channel  composition  algorithm  composes  channels  beginning  from 
Alice  (see  Figure  4.6)  and  consists  of  the  following  steps  (see  Figure  4.7): 

Alice  makes  a  remote  invocation  F  Y  to  the  node  next  in  the  path  from  Alice  to  Ibaraki,  namely 
aim ,  requesting  the  encryption  key  of  ibm .  aim  returns  ibm  ’s  key  in  the  return  message  R j. 
This  in  effect  composes  the  channels  alice  -aim  and  aim  -ibm  to  form  the  channel  alice  -ibm . 


Figure  4.5:  Tree -structured  name  space  does  not  imply  hierarchical  trust 
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Alice  makes  a  remote  invocation  F2  to  ibm  requesting  the  key  of  usa .  The  return  message  R  2 
containing  usa ’s  key  results  in  the  composition  of  channels  alice-ibm  and  ibm -usa  to  from 
the  channel  alice  -usa . 

Alice  continues  to  make  such  remote  invocations,  and  compositions  of  channels  continue  until 
the  channel  alice  -ibaraki  is  established.  Since  alice  repeatedly  makes  remote  invocations  in 
this  algorithm,  the  algorithm  is  called  iterative  channel  composition. 

Figure  4.8  illustrates  the  trust  relationships  in  iterative  channel  composition.  C  is  B ’s 
parent  node,  N  is  any  descendent  of  B ,  and  M  is  any  non-descendent  of  B  (i.e.,  any  node  not  in 
the  subtree  rooted  at  B ).  To  establish  channel  M-N  using  iterative  channel  composition,  M 
successively  establishes  channels  to  nodes  in  the  path  from  M  to  N .  At  some  step  M  estab¬ 
lishes  a  channel  to  C ,  and  at  the  successive  step  it  establishes  a  channel  to  B  by  composing 
channels  M-C  and  C-B .  Using  the  results  of  Section  3.4,  TA(M ,  C ,  B)  is  true.  Similarly,  to 
establish  channel  N-M,N  successively  establishes  channels  to  nodes  in  the  path  from  N  to  M . 
At  some  step  N  establishes  a  channel  to  B ,  and  at  the  successive  step  it  establishes  a  channel  to 
C  by  composing  channels  N-B  and  B-C.  Hence,  TA(N,  B,  C)  is  true.  The  next  theorem 
summarizes  these  results.  We  will  use  the  term  “  node\  trusts  node2  for  node  3  ’  to  mean  that 
Ta  ( node  lt  node2,  node  3)  is  true. 

Theorem  4.1:  In  iterative  channel  composition,  all  non-descendents  of  a  node  trust  the  node’s 
parent  for  the  node,  and  all  descendents  of  a  node  trust  the  node  for  the  node’s  parent. 

□ 


4.3.2.  Recursive  Channel  Composition 

Consider  the  case  of  channel  establishment  from  Alice  to  Ibaraki  in  the  name  space  of 
Figure  4.4.  The  recursive  channel  composition  algorithm  composes  channels  beginning  from 
Ibaraki 1  (see  Figure  4.9)  and  consists  of  the  foEowing  steps  (see  Figure  4.10): 

Alice  makes  a  remote  invocation  F  \  to  aim ,  which  is  the  next  node  in  the  path  from  alice  to 
ibaraki ,  requesting  the  encryption  key  of  ibaraki . 

When  aim  receives  F\  request,  aim  makes  a  remote  invocation  F2  to  ibm ,  requesting  the  pub- 
Ec  key  of  ibaraki . 

This  sequence  of  remote  invocations  continues  tiE  finally  jap  makes  a  remote  invocation  F6  to 
ibm  J  which  is  the  node  just  ahead  of  ibaraki  in  the  path  from  alice  to  ibaraki ,  requesting  the 
key  of  ibaraki . 

Ibm J ,  which  has  ibaraki ’s  key,  sends  the  key  in  a  return  message  R  This  in  effect  composes 
the  channels  jap  -ibm _j  and  ibm  j  —ibaraki  to  form  the  channel  jap  —ibaraki . 

This  sequence  of  return  messages  and  channel  compositions  continues,  and  towards  the  end  die 
return  message  R  5  results  in  the  composition  of  channels  aim  -ibm  and  ibm  -ibaraki  to  form  the 
channel  aim  -ibaraki . 

FinaEy,  the  return  message  R6  results  in  the  composition  of  channels  alice -aim  and  alm- 
ibaraki  to  form  the  required  channel  alice  -ibaraki . 


1  It  should  however  be  noted  that,  even  though  channel  composition  begins  from  Ibaraki,  the  initiative  always 
starts  from  Alice. 
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Figure  4.6:  An  instance  of  iterative  channel  composition.  In  channel  establishment  from 
Alice  to  Ibaraki,  channel  composition  starts  from  Alice. 


Figure  4.7:  Remote  invocations  in  iterative  channel  composition.  In  channel  establish¬ 
ment  from  Alice  to  Ibaraki,  Alice  successively  makes  remote  invocations  to  nodes  in  its 
path  to  Ibaraki. 
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In  this  algorithm,  alice  makes  a  remote  invocation  Fx  within  which  there  is  a  remote 
invocation  F5,  and  so  oa  Thus  alice  makes  a  recursive  remote  invocation,  and  the  algorithm  is 
called  recursive  channel  compositioa 

Figure  4.11  illustrates  the  trust  relationships  in  recursive  channel  composition.  C  is  B ’s 
parent  node,  N  is  any  descendent  of  B ,  and  M  is  any  non-descendent  of  B.  To  establish  chan¬ 
nel  N  -M  using  recursive  channel  composition,  channels  are  successively  established  to  M  from 
nodes  in  the  path  M-N  in  the  name  space.  At  some  step  C  establishes  a  channel  to  M ,  and  at 
the  successive  step  B  establishes  a  channel  to  M  by  composing  channels  B-C  and  C-M . 
Using  the  results  in  Section  3.4,  TA  (B ,  C ,  M)  is  true.  Similarly,  to  establish  channel  M-N , 
channels  are  successively  established  to  N  from  nodes  in  the  path  N-M  in  the  name  space.  At 
some  step  B  establishes  a  channel  to  N ,  and  at  the  successive  step  C  establishes  a  channel  to  N 
by  composing  channels  C-B  and  B-N.  Hence  TA{C ,  B ,  N)  is  true.  Theorem  4.2  summarizes 
these  results. 

Theorem  42:  In  recursive  channel  composition,  a  node  trusts  its  parent  for  the  node’s  non- 
descendents,  and  the  parent  of  the  node  trusts  the  node  for  the  node’s  descendents. 

□ 

Having  obtained  the  trusts  required  by  iterative  and  recursive  channel  composition  in 
Theorems  4.1  and  4.2  above  respectively,  we  are  now  ready  to  tackle  the  design  problem  men¬ 
tioned  at  the  beginning  of  this  chapter.  Assuming  that  the  trust  relationships  of  all  agents  and  a 
channel  composition  order  are  given,  a  tree-structured  name  space  is  to  be  synthesized  so  that 
only  a  subset  of  the  given  set  of  trust  relationships  is  necessary  for  establishing  a  channel 
between  any  pair  of  agents  in  the  distributed  system.  The  next  section  discusses  the  nature  of 
trust  relationships  that  might  be  specified  in  such  a  design  problem. 


Figure  4.1 1:  Trust  relationships  in  recursive  name  resolution 
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4.4.  Trust  Specifications 

In  Section  3.7,  it  was  shown  that  the  trust  relationships  required  by  PKE-based  channel 
composition  protocols  form  a  proper  subset  of  the  trust  relationships  required  by  SKE-based 
channel  composition  protocols.  However,  current  hardware  implementations  of  SKE  are 
several  orders  of  magnitude  faster  than  those  of  PKE.  In  the  next  chapter,  we  will  present  pro¬ 
tocols  that  establish  channels  using  PKE  but  switch-over  to  SKE  once  a  channel  has  been  esta¬ 
blished.  These  protocols  have  the  smaller  trust  requirements  of  PKE-based  channel  composi¬ 
tion  but  have  the  performance  of  SKE.  Thus,  in  synthesizing  name  spaces  we  assume  that  the 
trust  requirements  are  those  of  PKE-based  channel  composition.  By  Section  3.4,  we  know  that 
PKE-based  channel  composition  requires  authenticity  trusts,  which  are  (boolean)  functions  of 
three  agents.  Thus,  we  assume  that  trust  specifications  for  synthesizing  name  spaces  are  in  gen¬ 
eral  3-agent  authenticity  trust  predicates.  Nevertheless,  the  synthesis  algorithms  that  we 
develop  in  the  following  sections  can  also  be  used  for  designing  SKE-based  name  spaces,  if, 
wherever  we  check  for  the  satisfaction  of  the  authenticity  trust  involving  three  agents,  we  also 
check  for  the  satisfaction  of  the  forwarding  trust  and  of  the  key  user-possessor  trust  involving 
the  same  three  agents. 

However,  trust  specifications  can  also  be  functions  of  two  agents.  The  next  section  inves¬ 
tigates  such  trust  specifications. 

4 .5.  Two-Agent  Trust  Specifications 

When  an  agent  specifies  its  trust  relationships,  it  is  common  for  the  trust  relationships  to 
take  one  of  the  following  two  forms: 

(1)  An  agent  trusts  another  agent, 

(2)  An  agent  is  trusted  for  another  agent. 

Such  trust  relationships  involve  two  agents,  and  can  be  thought  of  as  simplifications  of  the  gen¬ 
eral  3-agent  trust  predicates  required  in  channel  composition.  The  first  of  the  2-agent  trust  rela¬ 
tionships  above  can  be  thought  of  as  resulting  from  the  elimination  of  the  last  argument  of  a  3- 
agent  trust  relationship  of  the  form,  “an  agent  A  trusts  an  agent  B  for  every  other  agent”.  We 
will  denote  such  a  2-agent  trust  relationship  by  Ta(A  ,  B  ,*).  The  second  2-agent  trust  relation¬ 
ship  can  be  thought  of  as  resulting  from  the  elimination  of  the  first  argument  of  a  3-agent  trust 
relationship  of  the  form,  “every  agent  trusts  an  agent  B  for  an  agent  C  ”.  We  will  denote  such 
a  2-agent  trust  relationship  by  TA  (* ,  B ,  C). 

The  permutation  of  the  two  types  of  2-agent  trust  relationships  with  iterative  and  recursive 
channel  composition  results  in  four  combinations.  These  four  combinations  have  some  interest¬ 
ing  properties,  which  we  investigate  in  next. 

4.5.1.  Iterative  and  Recursive  Channel  Composition 

Suppose  that  trust  specifications  are  of  the  form  TA  ( node2 ,  node  j,  *),  and  that  the  channel 
composition  order  is  iterative.  Consider  any  node  B  in  the  name  space.  Let  N  be  any  descen- 
dent  of  B ,  and  C  be  the  parent  of  B  (see  Figure  4.12).  By  Theorem  4.1,  TA  (N ,  B ,  C )  is  true. 
Since  trust  specifications  are  all  of  the  form  TA(node 2,  node h  *),  satisfying  TA(N,B,C ) 
requires  that  TA  (N ,  B ,  * )  be  true.  Thus  we  have  the  following  lemma: 

Lemma  4.1:  Suppose  that  trust  specifications  are  of  the  form  TA  ( node2 ,  node  lt  *)  and  that  the 
channel  composition  order  is  iterative.  In  any  name  space,  all  the  descendents  of  each  node 
trust  the  node. 
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Figure  4.12:  Effect  of  iterative  channel  composition  when  trust  relationships  are  of  the 
form  Ta  (node 2,  node  t,  *) 


□ 

Considering  the  same  figure  (Figure  4.12),  let  M  be  any  non-descendent  of  B  and  A  be  any 
child  of  B .  By  Theorem  4.1,  TA(M ,B ,  A)  is  true.  Since  trust  specifications  are  of  the  form 
Ta (node 2,  node lf  *),  satisfying  TA(M,B,  A)  requires  that  T A (M , B ,  * )  be  true.  Thus  we  have 
the  following  lemma: 

Lemma  4J2:  Suppose  that  trust  specifications  are  of  the  form  TA  (node2,  node\,  *)  and  that  the 
channel  composition  order  is  iterative.  In  any  name  space,  all  the  non-descendents  of  each  node 
trust  the  node. 

□ 

Lemmas  4.1  and  4.2,  together  with  the  observation  that  every  node  is  either  a  descendent  or  a 
non-descendent  of  a  node,  yield  the  following  theorem: 

Theorem  4.3:  If  trust  relationships  are  of  the  form  TA(node  2,  node ,,  *)  and  channel  composi¬ 
tion  is  iterative,  all  the  nodes  in  any  name  space  are  globally  trusted. 

□ 

Now  consider  the  situation  when  trust  specifications  are  of  the  form  T A  (*  ,  node  lt  node 2) 
and  the  channel  composition  is  recursive.  Let  B  be  any  node,  A  be  any  child  of  B  and  M  be 
any  non-descendent  of  B  (see  Figure  4.13).  By  Theorem  4.2,  Ta(A  ,  B  ,M)  is  true.  Since  trust 
specifications  are  all  of  the  form  TA(* ,  nodex,  node?),  satisfying  Ta(A,B,M )  requires  that 
TA(*  ,B  ,M)be  true.  Thus,  we  have  the  following  lemma: 
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Figure  4.13:  Effect  of  recursive  name  resolution  when  trust  relationships  are  of  the  form 
Ta  (* ,  node  j,  node 2) 


Lemma  4.3:  When  trust  specifications  are  of  the  form  TA(* ,  nodex,  node 2)  and  the  channel 
composition  is  recursive,  in  any  name  space,  each  node  is  trusted  for  all  its  non-descendents. 

□ 

Considering  the  same  figure  (Figure  4. 13),  let  C  be  the  parent  of  B  and  N  be  any  descendent  of 
B .  By  Theorem  4.2,  TA{C,B,N)  is  true.  Since  trust  specifications  are  all  of  the  form 
Ta  (* ,  node  x,  node  2),  satisfying  TA{C,B,N)  requires  that  TA  (* ,  B ,  N)  be  true.  Thus,  we  have 
the  lemma: 

Lemma  4.4:  When  trust  specifications  are  of  the  form  TA  (* ,  node  x,  node 2)  and  the  chan¬ 
nel  composition  is  recursive,  in  any  name  space,  each  node  is  trusted  for  all  its  descendents. 

□ 

Lemmas  4.3  and  4.4,  together  with  the  observation  that  every  node  is  either  a  descendent  or  a 
non-descendent  of  a  node,  yield  the  following  the  theorem: 

Theorem  4.4:  If  trust  relationships  are  of  the  form  TA  (* ,  node ,,  node  2)  and  channel  composi¬ 
tion  is  recursive,  all  the  nodes  in  any  name  space  are  globally  trusted. 

□ 

Since  our  primary  goal  is  the  elimination  of  global  trust  requirements,  by  Theorems  4.3 
and  4.4,  it  is  clear  that  the  combinations  TA(node 2,  node  j,  *)  plus  iterative  channel  composi¬ 
tion  and  Ta  (* ,  node  j,  node ■£>  plus  recursive  channel  composition  are  not  interesting. 

Let  us  now  consider  the  remaining  two  combinations.  We  model  the  combination 
Ta  (* ,  node ,,  node  2)  plus  iterative  channel  composition  by  a  directed  graph  called  IT -graph , 
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in  which  there  is  an  edge  node  inode  2  if  and  only  if  node  1  is  trusted  for  node  2,  i.e.,  if 
Ta  (* ,  node  lt  node  2)  is  true  (see  Figure  4. 14(a)).  In  the  name  space,  if  C  is  the  parent  of  a  node 
B,M  is  any  non-descendent  of  B ,  and  N  is  any  descendent  of  B ,  by  Theorem  4ATa(M,C,B ) 
and  Ta  (N ,  B ,  C)  are  true  (see  Figure  4.14(b)).  If  B  is  a  leaf,  then  B  does  not  have  any  descen¬ 
dent  N  and  only  TA  (M  ,C,B)  is  true.  Since  trust  specifications  are  of  the  form 
Ta(*  ,  node  1,  node  satisfying  TA(M,C,B)  and  TA(N,B,C)  requires  that  TA(*,C,B )  and 
Ta(*,B,C)  be  true.  If  B  is  a  leaf,  only  TA(*,C ,  B )  need  be  true.  This  result  is  summarized 
in  the  following  theorem: 

Theorem  4.5:  Suppose  that  the  trust  specifications  are  of  the  form  TA(* ,  nodeh  node 2),  and 
that  the  nhannel  composition  is  iterative.  A  name  space  satisfies  a  given  set  of  trust 
specifications  if  and  only  if  the  following  two  conditions  are  satisfied: 

(1)  If  there  is  a  link  C-B  in  the  name  space  and  B  is  not  a  leaf,  then  TA(*  ,C ,B)  and 
Ta(*,B ,  C)  must  be  true,  i.e.,  there  must  be  edges  CB  and  BC  in  the  IT-graph  for  the 
trust  specifications. 

(2)  If  there  is  a  link  C-B  in  the  name  space  and  B  is  a  leaf,  TA  (* ,  C ,  B )  must  be  true,  i.e., 
there  must  be  an  edge  CB  in  the  IT-graph  for  the  trust  specifications. 

□ 

The  fourth  and  the  final  combination  is  of  the  form  TA  (node2,  nodeu  *)  with  recursive 
channel  composition.  We  model  this  combination  by  a  directed  graph  called  RT  -graph ,  in 
which  there  is  an  edge  node  inode  2  if  and  only  if  node 2  trusts  node  j,  i.e.,  T A  (node2,  node  1,  *  ) 
(see  Figure  4.15(a)).  In  the  name  space,  if  C  is  the  parent  of  a  node  B ,  M  is  any  non- 
descendent  of  B ,  and  N  is  any  descendent  of  B,  by  Theorem  4.2  TA(B,C,M )  and 
TA(C ,  B ,  N)  are  true  (see  Figure  4.15(b)).  If  B  is  a  leaf,  then  B  does  not  have  any  descendent 


Figure  4.14:  IT-graph  representation  of  trust  relationships  of  the  form 
Ta  (* ,  node  lf  node  2)  when  channel  composition  is  iterative,  (a)  There  is  a  directed  edge 
node  xnode  2  in  the  IT-graph  if  and  only  if  TA  (*  ,  node  j,  node 2)  is  true,  (b)  If  there  is  an 
independent  channel  C-B  in  the  name  space  and  B  is  not  a  leaf,  then  there  must  be  edges 
CB  and  BC  in  the  IT-graph. 
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N ,  and  only  TA(B,C,M )  is  true.  Since  trust  specifications  are  of  the  form 
Ta (node 2,  node lt  * ),  satisfying  TA(B ,  C ,  M)  and  TA(C ,  B ,  N)  requires  that  TA (B ,  C ,  * )  and 
TA(C ,B ,*)  be  true.  If  B  is  a  leaf,  only  TA(B,C,*)  need  be  true.  The  following  theorem 
summarizes  these  results: 

Theorem  4.6:  Suppose  that  the  trust  specifications  are  of  the  form  TA(node 2,  nodex,  *),  and 
that  the  channel  composition  is  recursive.  A  name  space  satisfies  a  given  set  of  trust 
specifications  if  and  only  if  the  following  two  conditions  are  satisfied: 

(1)  If  there  is  a  link  C-B  in  the  name  space  and  B  is  not  a  leaf,  then  TA(B ,C ,  * )  and 
Ta(C ,  B ,  * )  must  be  true,  i.e.,  there  must  be  edges  CB  and  BC  in  the  RT-graph  for  the 
trust  specifications. 

(2)  If  there  is  a  link  C  -B  in  the  name  space  and  B  is  a  leaf,  TA(B  ,C ,  * )  must  be  true,  i.e., 
there  must  be  an  edge  CB  in  the  RT-graph  for  the  trust  specifications. 

□ 


4.5.2.  Duality 

It  may  be  observed  that  Theorems  4.5  and  4.6  are  identical  except  for  the  fact  that  the  last 
and  the  first  arguments  to  the  trust  predicates  are  interchanged.  In  other  words,  the  combination 
TA  (node 2,  node  j,  *)  coupled  with  recursive  channel  composition  is  a  dual  of 
Ta(*  ,  node  lt  node  2)  coupled  with  iterative  channel  composition,  with  the  first  trust  argument 
replacing  the  role  of  the  last  trust  argument.  This  is  summarized  in  the  following  theorem: 

Theorem  4.7  (Duality  Theorem):  The  algorithms  for  synthesizing  name  spaces  for  the  combi¬ 
nation  Ta(*  ,  nodex,  node 2)  plus  iterative  channel  composition  become  the  algorithms  for  syn¬ 
thesizing  name  spaces  for  the  combination  TA  (node2,  node  t,  *  )  plus  recursive  channel  compo¬ 
sition,  if  the  last  and  first  arguments  of  the  trust  specifications  are  interchanged.  The  converse 


Figure  4.15:  Trust  relationships  are  of  the  form  TA(node2,  nodex,  *)  and  channel  compo¬ 
sition  is  recursive,  (a)  There  is  a  directed  edge  node  xnode2  in  the  RT-graph  if  and  only  if 
TA(node2,  nodex,  *)  is  true,  (b)  If  there  is  an  independent  channel  C-B  in  the  name 
space,  and  B  is  not  a  leaf,  then  there  must  be  edges  CB  and  BC  in  the  RT-graph. 
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of  this  statement  is  also  true. 

□ 

A  consequence  of  Theorem  4.7  is  that  developing  name  space  synthesis  algorithms  only 
for  the  combination  TA  (* ,  node  lt  node  2)  plus  iterative  channel  composition  is  sufficient. 

The  arguments  to  trust  specifications  are  agents,  which  represent  organizations  and  indivi¬ 
duals  sharing  a  distributed  system.  These  agents  occur  as  nodes  in  a  name  space  for  the  system. 
There  are  two  kinds  of  nodes  in  a  name  space,  namely,  internal  nodes  and  leaf  nodes.  The  inter¬ 
nal  nodes  serve  as  managers  of  databases  of  keys  and  have  agents  as  their  owners,  and  hence 
they  are  referred  to  as  name  servers.  The  leaf  nodes  represent  the  agents  themselves.  A  single 
agent  may  own  several  name  servers,  but  each  agent  is  represented  by  a  unique  leaf  node  in  a 
name  space.  Hence,  in  synthesizing  name  spaces,  we  assume  that  more  than  one  internal  node 
can  correspond  to  the  same  agent,  but  one  and  only  one  leaf  node  must  correspond  to  each 
agent,  and  every  agent  appears  as  a  leaf  node. 

4.6.  Name  Space  Synthesis  Given  Two-Agent  Trusts  and  Iterative  Composition 

In  this  section  we  develop  an  algorithm  for  synthesizing  name  spaces  for  the  combination 
Ta(*,  nodex,  node  2)  plus  iterative  channel  composition.  The  input  to  the  algorithm  is  a  set  of 
trust  specifications  of  the  form  TA  (*,  node  t,  node 2). 

4.6.1.  The  Synthesis  Algorithm 

The  first  step  of  the  algorithm  is  to  synthesize  the  IT-graph  for  the  given  trust 
specifications  (Figure  4.16-a).  The  IT-graph  is  then  transformed  into  an  undirected  graph  by 
replacing  all  bidirectional  edges  with  undirected  edges,  and  by  deleting  all  unidirectional  edges 
(Figure  4.16-b).  The  resulting  undirected  graph  is  converted  into  a  spanning  forest  (Figure 
4.16-c).  If  there  is  any  isolated  node  in  the  spanning  forest  such  that  in  the  original  IT-graph 
there  is  an  edge  towards  it  from  another  node,  an  undirected  edge  is  added  between  these  two 
nodes  in  the  spanning  forest  (Figure  4.16-d). 


Figure  4.16:  Name  space  synthesis  from  trust  functions  of  the  form  TA(* ,  nodex,  node 2) 
and  iterative  channel  composition,  (a)  A  sample  lT-graph.  (b)  Bidirectional  edges  re¬ 
placed  by  undirected  edges,  and  unidirectional  edges  are  removed,  (c)  Transfoimation  of 
the  undirected  graph  to  a  spanning  forest,  (d)  An  isolated  node  such  as  D  is  re-attached  if 
there  is  an  edge  towards  it  in  the  IT-graph. 
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If  the  resulting  spanning  forest  contains  more  than  one  tree,  then  no  tree-structured  secure  name 
space  is  possible.  On  the  other  hand,  if  there  is  only  one  tree  in  the  spanning  forest,  one  of  the 
nodes  is  selected  as  the  root,  and  all  the  nodes  in  the  tree  are  given  their  pathnames  as  names. 
The  resulting  name  space  satisfies  the  given  trust  specifications  when  iterative  channel  composi¬ 
tion  order  is  used.  The  exact  algorithm  is  as  follows: 


Algorithm  4,1 

construct  IT-graph  for  the  given  trust  specifications; 
for  (each  edge  AS  in  the  IT-graph)  do  { 
if  (there  is  no  edge  BA )  then  { 

delete  A5  from  the  IT-graph; 

}  else  { 

delete  AB  and  BA ; 
add  undirected  edge  AS ; 

} 

for  (each  connected  component  in  IT-graph)  do  { 
transform  to  a  spanning  tree; 

} 

for  (each  node  A  in  the  spanning  forest)  do  { 
if  (A  is  an  isolated  node)  then  { 

if  (there  is  an  edge  NA  in  the  original  IT-graph)  then  { 
add  an  undirected  edge  NA ; 
mark  A  as  a  leaf; 

}fi 

} 

if  (there  is  more  than  one  tree  in  the  forest)  { 
print(no  name  space  exists); 
return; 

}  else  { 

select  any  node  R  that  has  not  been  marked  as  a  leaf; 
mark  R  as  the  root  of  the  tree; 
for  (each  node)  do  { 

label  it  with  its  complete  pathname; 

} 

} 

return  the  constructed  name  space; 


4.6-2.  Correctness  and  Complexity  of  Algorithm  4.1 

In  the  following  theorem,  we  show  the  correctness  and  derive  the  computational  complex¬ 
ity  of  Algorithm  4.1. 

Theorem  4.8:  If  Algorithm  4.1  constructs  a  name  space,  the  constructed  name  space  satisfies 
the  given  set  of  trust  specifications  when  iterative  channel  composition  is  used.  If  a  name  space 
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exists,  Algorithm  4.1  constructs  a  tree-structured  name  space.  The  algorithm’s  worst-case 
time-complexity  is  0(max( number  of  trusts,  number  of  agents)). 

Proof:  We  first  prove  the  first  part  of  the  theorem,  i.e.,  that,  if  Algorithm  4.1  constructs  a  name 
space,  the  constructed  name  space  satisfies  the  given  set  of  trust  specifications  when  iterative 
channel  composition  is  used.  Suppose  the  algorithm  constructs  a  name  space  NS .  Consider 
each  edge  BC  in  NS.  Let  C  be  the  parent  of  B.  If  B  is  not  a  leaf,  BC  was  an  outcome  of  the 
second  for-loop  of  Algorithm  4.1,  hence  BC  was  an  undirected  edge  in  a  connected  component 
at  the  beginning  of  that  for-loop,  and  therefore  BC  was  an  undirected  edge  in  a  connected  com¬ 
ponent  at  the  end  of  the  first  for-loop.  Thus,  there  are  edges  BC  and  CB  in  the  IT-graph.  If  B 
is  a  leaf,  then  it  is  an  outcome  of  the  third  for-loop,  and  hence  there  is  an  edge  CB  in  the  IT- 
graph.  Applying  Theorem  4.5,  we  obtain  that  NS  satisfies  the  given  trust  specifications.  This 
completes  the  proof  of  the  first  part  of  the  Theorem. 

Suppose  that  a  name  space  NS  exists  for  the  given  trust  specifications.  We  now  show  that 
the  algorithm  will  construct  a  name  space.  Applying  Theorem  4.5,  the  IT-graph  must  contain  at 
least  (1)  bidirectional  edges  corresponding  to  the  links  between  two  internal  nodes  in  NS ,  and 
(2)  unidirectional  edges  corresponding  to  links  between  an  internal  node  and  a  leaf  node  in  NS . 
Thus,  at  the  end  of  the  first  for-loop  of  Algorithm  4.1,  there  will  be  a  connected  graph  in  which 
all  the  internal  nodes  of  NS  are  present,  and  at  the  end  of  the  second  for-loop,  this  connected 
graph  will  get  transformed  into  a  tree.  All  the  nodes  not  in  this  tree  will  get  added  as  leaves  to 
the  tree  in  the  third  for-loop.  Thus,  Algorithm  4.1  yields  a  tree-structured  name  space  if  one 
exists. 

Let  us  now  derive  the  worst-case  time  complexity  of  Algorithm  4.1.  The  number  of  edges 
is  of  the  order  of  the  number  of  trust  relationships.  Suppose  that  this  number  is  e .  Suppose  that 
the  number  of  nodes,  which  is  the  number  of  agents,  is  n .  The  complexity  of  the  first  for-loop 
is  0(e),  the  complexity  of  the  second  for-loop  is  the  complexity  of  constructing  a  spanning  tree, 
which  is  0(max(e,  n  )),  and  the  complexity  of  the  last  for-loop  is  O (n).  Thus,  the  complexity 
of  Algorithm  4.1  is  0(max(e ,  n)). 

This  completes  the  proof  of  Theorem  4.8. 

□ 


Algorithm  4.1  gives  one  possible  name  space  satisfying  the  given  trust  relationships. 
There  may  be  more  than  one  name  space  satisfying  the  same  given  set  of  trust  relationships.  In 
a  name  space,  each  node  has  to  store  a  database  of  encryption  keys  of  all  its  children.  In  a  name 
space  in  which  the  root  is  the  parent  of  all  other  nodes  (see  Figure  4.17-a),  the  root  has  to  store 
the  entire  database  containing  the  keys  of  all  other  agents  in  the  system,  resulting  in  a  central¬ 
ized  name  server.  At  the  other  end  of  the  spectrum  is  a  name  space  corresponding  to  a  hamil- 
tonian  path  (Figure  4.17-b),  in  which  each  node  has  to  store  just  one  key  (that  of  its  sole  child). 
Both  of  these  extreme  name  space  configurations  are  undesirable.  Therefore,  it  is  desirable  to 
put  bounds  on  the  number  of  children  of  each  node  in  a  name  space.  However,  the  next  section 
derives  some  NP-completeness  results  with  respect  to  these  bounded-children  name  space 
design  problems  [AHU74,GaJ79], 

4.6 J.  NP-Completeness  Results 

The  next  theorem  shows  that  the  problem  of  putting  an  upper  bound  on  the  number  of 
children  of  each  node  in  a  name  space  is  NP-complete.  But  before  we  prove  the  theorem,  we 
need  two  graph-theoretic  lemmas,  which  we  prove  next.  The  next  lemma  shows  an  equivalence 
between  hamiltonian  paths  and  bounded-children  spanning  trees  in  graphs. 
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A 


(a)  (b) 

Figure  4.17:  Extreme  cases  of  name  space  configuration  when  the  number  of  children  of  a 
name  space  node  cannot  be  bounded,  (a)  Name  space  in  which  the  root  is  the  parent  of  all 
other  nodes,  (b)  Name  space  that  is  a  hamiltonian  path. 


Lemma  4.5:  Let  G  be  a  graph  for  which  the  existence  of  a  hamiltonian  path  is  to  be  deter¬ 
mined.  Suppose  that  we  construct  a  graph  G'  by  adding  new  edges  and  new  nodes  as  follows 
(see  Figure  4.18):  to  each  node  V  in  G ,  we  add  u-2  new  edges,  each  edge  connecting  V  and  a 
new  node.  A  hamiltonian  path  for  G  is  a  spanning  tree  for  G' ,  and  in  the  spanning  tree,  each 
node  has  at  most  u  children.  The  converse  of  this  statement  is  also  true. 

Proof:  Suppose  that  there  is  a  hamiltonian  path  H  for  G .  Let  the  set  of  new  nodes  and  the  set 
of  new  edges  added  to  form  G'  be  denoted  by  NG-  and  EG- .  When  we  add  an  edge  of  EG-  to  H , 
a  new  node  gets  added  to  H ,  and  H  remains  a  tree  (i.e.,  no  cycles  are  created).  Thus,  when  we 
add  all  the  edges  of  EG-  to  H ,  we  obtain  a  tree  T  for  G' .  In  T ,  each  node  has  at  most  two 
edges  of  H  and  at  most  u-2  edges  of  EG-  incident  on  it  Thus,  there  is  an  upper  bound  of  u  on 
the  number  of  children  of  each  node  in  T . 

Suppose  that  there  is  a  spanning  tree  T  for  G'  with  an  upper  bound  of  u  on  the  number  of 
children  of  each  node.  Since  each  edge  of  EG-  connects  a  new  node  of  NG-  to  T ,  and  all  nodes 
of  NG’  must  be  present  in  a  spanning  tree,  all  the  edges  of  EG<  must  be  present  in  T .  Each  node 
of  ty-  is  a  terminal  node  in  T .  Thus,  when  we  remove  the  nodes  of  NG-  from  T ,  we  obtain  a 
tree  T  in  which  all  the  nodes  except  those  of  Nc- ,  i.e.,  all  the  nodes  of  G ,  are  present  Hence,  T 
is  a  spanning  tree  for  G .  Each  node  of  T  must  have  had  u-2  more  edges  incident  on  it  in  T 
(since  in  T ,  each  of  these  nodes  was  connected  to  u-2  nodes  of  NG').  But  in  T ,  each  node  has 
at  most  u  edges  incident  on  it.  Thus,  each  node  in  T  can  have  at  most  2  edges  incident  on  it.  A 
tree  in  which  each  node  has  at  most  2  edges  incident  on  it  is  a  hamiltonian  path.  Hence,  T  is  a 
hamiltonian  path  for  G .  This  completes  the  proof  of  Lemma  4.5. 
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□ 


The  next  lemma  proves  equivalence  between  any  spanning  tree  of  a  graph  and  the  IT- 
graph  for  the  graph.  This  equivalence  is  used  in  both  Theorem  4.8  and  Theorem  4.9. 

Lemma  4.6:  Given  a  graph  G ,  suppose  that  we  construct  an  IT-graph  ITG  by  replacing  each 
edge  in  G  with  a  bidirectional  edge.  Any  name  space  synthesized  for  ITG  is  a  spanning  tree  2 
of  G ,  and  any  spanning  tree  for  G  is  a  name  space  for  ITG . 

Proof:  Using  Theorem  4.5  and  the  fact  that  ITG  contains  only  bidirectional  edges,  we  obtain 
that  for  each  edge  in  NS  there  is  a  bidirectional  edge  in  ITG .  Since  for  each  bidirectional  edge 
in  ITG  there  is  an  undirected  edge  in  G ,  for  each  edge  in  NS  there  is  an  edge  in  G .  Thus,  NS 
is  a  subgraph  of  G . 

Consider  any  spanning  tree  T  for  G .  For  each  edge  in  T ,  there  is  a  bidirectional  edge  in 
ITG ,  and  hence,  by  Theorem  4.5,  T  is  a  name  space  for  ITG .  Thus,  any  spanning  tree  for  G  is 
a  name  space  for  ITG .  This  completes  the  proof  of  Lemma  4.6. 

□ 


B 


(a)  (b) 

Figure  4.18:  Construction  of  a  graph  G'  from  a  graph  G  in  Lemma  4.5  when  u= 5.  (a)  A 
sample  graph  G .  (b)  G'  obtained  from  G  by  adding  u- 2  =  3  new  edges  to  each  node  V 
in  G ,  each  new  edge  connecting  V  and  a  new  node. 


2When  we  say  a  name  space  is  a  spanning  tree  for  a  graph  G ,  we  mean  that  all  the  nodes  of  G  are  present  in  the 
name  space  and  there  are  no  cycles  in  the  name  space. 
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Theorem  4.9:  For  the  combination  TA(*,  nodeu  node 2)  plus  iterative  channel  composition, 
synthesizing  a  name  space  with  a  given  upper  bound  on  the  number  of  children  of  each  node  is 
NP-complete. 

Proof:  To  prove  that  the  problem  is  in  NP,  we  first  show  that  guessing  a  solution  and  checking 
the  validity  of  the  guessed  solution  has  polynomial  time  complexity  [AHU74,  GaJ79].  Let  the 
number  of  agents  be  V,  and  the  upper  bound  be  u.  To  build  a  name  space,  we  have  to 
enumerate  V-l  edges,  and  designate  one  of  the  nodes  as  the  root  Checking  the  validity  of  the 
guessed  name  space  consists  of  the  following  steps: 

(1)  The  name  space  must  be  connected  and  tree-structured  (i.e.,  there  must  not  be  any 
cycles  in  the  name  space). 

(2)  The  name  space  must  satisfy  the  given  trust  specifications.  Thus  for  each  edge 
between  internal  nodes  in  the  name  space,  there  must  be  bidirectional  edges  in  the  IT- 
graph  for  the  given  trust  specifications.  For  each  edge  between  an  internal  node  and  a  leaf 
node  in  the  name  space,  there  must  be  an  edge  from  the  internal  node  to  the  leaf  node  in 
the  IT-graph.  In  all  there  are  V-l  edges  in  the  name  space. 

(3)  The  number  of  children  of  each  node  must  not  exceed  u . 

Each  of  these  steps  can  be  carried  out  in  0(V)  time.  Thus  the  problem  is  in  NP. 

It  is  known  that  determining  the  existence  of  a  hamiltonian  path  in  a  graph  is  an  NP- 
complete  problem  [AHU74,GaJ79].  We  reduce  this  NP-complete  problem  to  our  problem  of 
putting  an  upper  bound  on  the  number  of  children  of  each  node  in  a  name  space.  To  achieve 
this  reduction,  given  a  graph  G  for  which  the  existence  of  a  hamiltonian  path  is  to  be  deter¬ 
mined,  we  construct  a  graph  G'  as  follows  (see  Figure  4.18):  to  each  node  V  in  G ,  we  add  «-2 
new  edges,  each  edge  connecting  V  and  a  new  node.  By  Lemma  4.5,  to  determine  the  existence 
of  a  hamiltonian  path  for  G ,  it  suffices  if  we  determine  the  existence  of  a  spanning  tree  for  G' 
with  each  node  having  at  most  u  children. 

We  now  construct  an  IT-graph  ITG'  by  replacing  each  edge  in  G'  with  a  bidirectional 
edge.  By  Lemma  4.6,  a  spanning  tree  with  an  upper  bound  of  u  on  the  children  of  each  node 
exists  for  G'  if  and  only  if  there  is  a  name  space  for  ITG'  with  the  same  upper  bound.  Con¬ 
structing  G'  from  G  is  an  0(n  xu )  operation,  and  if  e  is  the  number  of  edges  in  G ,  constructing 
ITG'  from  G'  is  an  0(e)  operation.  However,  the  upper  bound  u  cannot  exceed  the  number  of 
nodes  n ,  and  the  number  of  edges  cannot  exceed  the  square  of  the  number  of  nodes.  Therefore, 
the  complexity  of  the  two  constructions  together  is  0(n2).  Thus  we  have  reduced  the  problem 
of  determining  the  existence  of  a  hamiltonian  path  for  G  to  the  bounded  children  name  space 
problem  in  polynomial  time.  Since  the  hamiltonian  path  problem  is  NP-complete,  the  bounded 
children  name  space  problem  is  NP-complete. 

□ 


Now  consider  the  other  extreme  case  (Figure  4.17(b)).  We  consider  two  approaches  to 
avoiding  such  an  extreme  case.  In  the  first  approach,  we  assume  that  an  agent  can  occur  either 
as  a  leaf  node  or  as  an  internal  node  in  a  name  space,  and  try  to  put  a  lower  bound  on  the 
number  of  leaves  in  a  name  space.  In  the  second  approach,  we  try  to  put  a  lower  bound  on  the 
number  of  children  of  each  node  in  a  name  space. 

Theorem  4.10:  Consider  the  combination  TA(*,  node  t,  node 2)  plus  iterative  channel  composi¬ 
tion.  If  an  agent  can  occur  either  as  a  leaf  node  or  as  an  internal  node  in  a  name  space,  syn¬ 
thesizing  a  name  space  in  which  there  is  a  given  lower  bound  on  the  number  of  leaf  nodes  is 
NP-complete. 
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Proof:  Proving  that  the  problem  is  in  NP  is  identical  to  the  proof  we  gave  in  Theorem  4.9, 
except  that,  while  checking  the  validity  of  a  guessed  name  space,  we  have  to  check  for  the 
minimum,  rather  than  the  maximum,  number  of  children  of  a  node  in  the  name  space. 

It  is  known  that  the  following  problem  is  an  NP-complete  problem  [AHU74,GaJ79]: 
Given  a  graph  G  and  a  positive  integer  K  <  n  (where  n  is  as  usual  the  number  of  vertices  in  the 
graph),  does  the  graph  have  a  spanning  tree  such  that  the  number  of  leaves  in  the  tree  is  at  least 
K  ?  A  straight-forward  application  of  Lemma  4.6  yields  the  reduction  from  this  NP-complete 
problem  to  the  bounded  leaf  name  space  problem. 

□ 


Now  consider  the  problem  of  putting  a  lower  bound  on  the  number  of  children  of  each 
node  in  a  name  space.  The  following  algorithm  gives  a  reduction  from  the  bounded  leaf  prob¬ 
lem  to  bounded  children  name  space  problem.  Let  the  given  graph  in  the  bounded  leaf  problem 
be  G  having  n  vertices. 


Algorithm  4.2 

for  (each  set  vert  of  n-K  vertices  in  the  graph  G )  do  { 
construct  a  graph  G’  from  G  by: 

coalescing  the  subgraph  formed  by  vert  into  a  single  node  x ; 
construct  an  IT-graph  ITG'  by: 

replacing  each  edge  in  G'  by  a  bidirectional  edge; 
if  (ITG'  has  a  name  space  with  children  of  each  node  bounded  below  by  K) 

{ 

print(G  has  a  spanning  tree  with  number  of  leaves  bounded  below  by  K ); 
retum(success); 

} 

} 

print("G  does  not  have  a  spanning  tree  with  number  of  leaves  >  K  ”); 
retum(failure); 


Figure  4.19  illustrates  the  coalescing  step  of  the  algorithm.  The  subgraph  formed  by  the 
vertices  B,  Cl  and  C2  in  the  graph  of  Figure  4.19-a  are  coalesced  to  form  the  graph  of  Figure 
4.19-b.  To  coalesce  the  subgraph  S  formed  by  a  set  of  vertices  verts  in  a  graph  3,  we  carry  out 
the  following  steps: 

(1)  A  single  new  node  x  replaces  the  nodes  in  the  set  verts . 

(2)  All  edges  between  nodes  within  verts  are  deleted. 

(3)  Each  edge  between  a  node  w  outside  verts  and  a  node  within  verts  is  replaced  by  an  edge 
between  w  and  x. 


3  The  subgraph  S  consists  of  the  vertices  in  verts  and  the  edges  between  nodes  within  verts  ■ 
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(4)  All  other  nodes  and  edges  are  retained. 

We  now  show  that  Algorithm  4.2  returns  success  if  and  only  if  there  is  a  solution  for  the 
bounded  leaf  problem.  Suppose  that  Algorithm  4.2  gives  an  affirmative  answer  in  the  if-step. 
By  Lemma  4.5,  a  name  space  for  ITG'  is  a  spanning  tree  for  G’ .  Thus,  G'  has  a  spanning  tree 
Ta  with  the  number  of  children  of  each  node  at  least  K .  Since  the  number  of  leaves  in  a  graph 
is  no  less  than  the  smallest  number  of  children  of  a  node  in  a  tree,  the  number  of  leaves  of  Ta>  is 
at  least  K .  To  obtain  a  spanning  tree  Tc  for  the  original  graph  G ,  we  de-coalesce  the  coalesced 
node  n  in  TG  into  its  original  subgraph  S ,  and  transform  the  subgraph  S  into  a  spanning  sub¬ 
tree.  All  the  leaves  except  possibly  x  of  TG-  remain  as  leaves  of  Ta .  If  x  is  a  leaf  in  Tc-,  when 
x  is  de-coalesced  to  obtain  TG ,  x  fans-out  into  at  least  one  leaf.  Thus  TG  has  a  number  of 
leaves  at  least  equal  to  that  of  Tc> ,  and  hence  TG  has  its  number  of  leaves  at  least  K.  Thus,  if 
Algorithm  4.2  gives  an  affirmative  answer,  G  has  a  tree  in  which  the  number  of  leaves  is  at 
least  K .  Such  a  tree  is  a  solution  for  the  bounded  leaf  problem.  Thus,  if  Algorithm  4.2  gives  an 
affirmative  answer,  there  is  a  solution  for  the  bounded  leaf  problem. 

We  now  show  that,  if  there  is  a  solution  to  the  bounded  leaf  problem.  Algorithm  4.2  gives 
an  affirmative  answer.  Suppose  that  there  is  a  solution  to  the  bounded  leaf  problem.  Thus, 
there  is  a  spanning  tree  TG  for  G  whose  number  of  leaves  is  at  least  K.  If  we  coalesce  the  inte¬ 
rior  nodes  of  tree  TG ,  we  obtain  a  tree  TG-  which  has  only  one  internal  node,  and  all  the  leaves 
of  Tg  are  children  of  this  internal  node.  Thus,  the  number  of  children  of  the  only  node  in  TG-  is 
at  least  K.  By  Lemma  4.5,  TG>  is  also  a  name  space  for  ITG' .  Thus,  Algorithm  4.2,  when  it 
coalesces  the  nodes  of  G  that  occur  as  interior  nodes  of  TG ,  will  yield  an  affirmative  answer. 

In  summary.  Algorithm  4.2  yields  an  affirmative  answer  if  and  only  if  the  bounded  leaf 
problem  has  a  solution.  Thus,  Algorithm  4.2  is  a  reduction  from  the  bounded  leaf  problem  to 
our  bounded  children  name  space  problem. 

The  complexity  of  Algorithm  4.2  is  as  follows.  There  are  C(n,  n-K)  =  0(nK)  possibili¬ 
ties  for  a  set  of  n-K  vertices.  Coalescing  G  to  G'  involves  looking  at  each  of  the  vertices  and 


B-C1-C2 


Figure  4.19:  Reduction  of  "bounded  leaf'  problem  to  "bounded  children  name  space 
design"  problem  by  coalescing  internal  nodes.  The  internal  nodes  B ,  C 1  and  C  2  in  the 
graph  shown  in  (a)  are  coalesced  to  get  the  graph  shown  in  (b). 
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edges  in  G,  and  hence  is  of  complexity  0(max(n,e)).  Transforming  G'  to  ITG'  is  an  O (e) 
operation.  Thus,  the  complexity  of  Algorithm  4.2  is  of  the  order  of, 

nK  x  (max  (rt,e)  +  complexity  of  bounded  children  name  space  problem). 

4.7.  3-Agent  Trust  Specifications 

In  this  section  we  develop  algorithms  for  synthesizing  name  spaces  given  3-agent  trust 
specifications.  Directed  graphs  are  again  used  to  represent  the  trust  specifications.  However,  a 
directed  edge  by  itself  can  only  represent  a  binary  relationship  between  its  two  vertices.  Thus, 
in  representing  3-agent  trust  relationships  by  a  directed  graph,  two  of  the  agents  in  the  trust  rela¬ 
tionship  become  vertices,  and  the  third  agent  becomes  a  label  of  the  directed  edge  between  the 
vertices.  Thus,  a  labeled  directed  edge  is  used  to  represent  a  3-agent  trust  relationship. 

4.7.1.  Iterative  and  Recursive  Composition 

As  explained  at  the  beginning  of  this  chapter,  a  name  space  is  specific  to  a  channel  com¬ 
position  order.  When  the  channel  composition  order  is  iterative,  we  model  the  given  trust  rela¬ 
tionships  by  a  labeled  directed  graph  called  UT  -graph  4.  A  LIT-graph  contains  an  edge  BC 
labeled  with  a  set  of  agents  setBC  if  and  only  if  for  all  agents  A  in  setBC  we  have  Ta(A,B,C ) 
=  true  in  the  given  set  of  trust  specifications  (see  Figure  4.20).  Consider  a  name  space  that 
satisfies  the  given  set  of  trust  specifications.  If  B  is  any  node  in  the  name  space,  and  C  is  its 
parent,  the  link  B-C  divides  the  set  of  all  agents  in  the  name  space  into  two  disjoint  subsets 
containing,  (1)  the  descendents  of  B ,  e.g.,  N ,  and  (2)  the  non-descendents  of  C ,  e.g.,  M ,  respec¬ 
tively.  By  Theorem  4. 1 ,  for  all  descendents  N  of  B  ,TA(N ,  B ,  C )  =  true ,  and  hence  N  belongs 
to  setBC ,  and  for  all  non-descendents  M  of  C ,  TA  (M ,  C ,  B  )  =  true ,  and  hence  M  belongs  to 
setCB .  Since  every  node  except  B  and  C  is  either  a  descendent  of  B  or  a  non-descendent  of  C , 
and  since  B  and  C  trivially  belong  to  setBC  and  setCB ,  setBC  setCB  =  the  universal  set 5. 

Thus,  if  in  the  LIT-graph  for  a  given  set  of  trust  specifications  setBC  setcB  does  not 
equal  the  universal  set,  then  C  cannot  be  the  parent  of  B . 

Interchanging  the  roles  of  C  and  B ,  we  obtain  that,  if  setCB  \j  setBC  does  not  equal  the 
universal  set,  B  cannot  be  the  parent  of  C . 

But,  since  setBC  setCB  =  setCB  setBC ,  if  setCB  yj  setBC  does  not  equal  the  universal 
set,  the  link  B-C  cannot  exist  in  any  name  space  synthesized  for  the  given  trust  specifications, 
and  hence  the  edges  BC  and  CB  can  be  removed  from  the  LIT-graph.  These  results  are  sum¬ 
marized  in  the  following  theorem: 

Theorem  4.11:  Given  3-agent  trust  specifications,  if  iterative  channel  composition  is  used,  a 
link  B-C  can  exist  in  the  name  space  only  if,  in  the  LIT-graph  constructed  from  the  trust 
specifications,  the  union  of  the  labels  of  edges  BC  and  CB  equals  the  universal  set.  Moreover, 
if  C  is  the  parent  of  B ,  an  agent  N  that  is  a  descendent  of  B  in  the  name  space  must  belong  to 
setBC ,  and  an  agent  M  that  is  a  non-descendent  of  B  in  the  name  space  must  belong  to  setCB . 

□ 


4  LTT-graph  stands  for  Labeled  Iterative  Trust  graph. 

5  The  symbol  is  used  to  mean  the  union  of  sets. 
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When  the  channel  composition  order  is  recursive,  we  model  the  given  trust  relationships 
by  a  labeled  directed  graph  called  LRT -graph .  A  LRT-graph  contains  an  edge  BC  labeled 
with  a  set  of  agents  setBC  if  and  only  if,  for  all  agents  A  in  setBC  TA(C  ,B  ,A)  =  true  in  the 
given  set  of  trust  specifications  (see  Figure  4.21).  Consider  a  name  space  that  satisfies  the  given 
set  of  trust  specifications.  If  6  is  any  node  in  die  name  space,  and  C  its  parent,  the  link  B  -C 
divides  the  set  of  all  agents  in  the  name  space  into  two  disjoint  subsets  containing,  (1)  the  des- 
cendents  of  B ,  e.g.,  N,  and  (2)  the  non-descendents  of  B ,  e.g.,  AT,  respectively.  By  Theorem 
4.2,  for  all  descendents  N  of  B ,  we  have  TA(C ,  B ,  N)  =  true ,  and  hence  N  belongs  to  setBC ; 
also,  for  all  non-descendents  M  of  B ,  we  have  TA(B ,  C ,  M )  =  true ,  and  hence  M  belongs  to 
setcB  •  Since  every  node  is  either  a  descendent  or  a  non-descendent  of  a  node,  setBC  setCB  = 

the  universal  set.  6 

Thus,  if,  in  the  LRT-graph  for  a  given  set  of  trust  specifications,  setBC  setCB  does  not 
equal  the  universal  set,  C  cannot  be  the  parent  of  B . 

Interchanging  the  roles  of  C  and  B ,  we  obtain  that,  if  setCB  {j  setBC  does  not  equal  the 
universal  set,  B  cannot  be  the  parent  of  C . 

But,  since  setBC  setCB  =  setCB  setBC ,  if  setCB  setBC  does  not  equal  the  universal 
set,  the  link  B-C  cannot  exist  in  any  name  space  synthesized  for  the  given  trust  specifications, 
and  hence  the  edges  BC  and  CB  can  be  removed  from  the  LRT-graph.  These  results  are  sum¬ 
marized  in  the  following  theorem: 

Theorem  4.12:  Given  3-agent  trust  specifications,  if  recursive  channel  composition  is  used,  a 
link  B-C  can  exist  in  the  name  space  only  if,  in  the  LRT-graph  constructed  from  the  trust 
specifications,  the  union  of  the  labels  of  edges  BC  and  CB  equals  the  universal  set.  Moreover, 
if  C  is  the  parent  of  B ,  an  agent  N  that  is  a  descendent  of  B  in  the  name  space  must  belong  to 


Figure  4.20:  LIT-graph  representation  for  the  combination  consisting  of  3-agent  trust 
specifications  plus  iterative  channel  composition,  (a)  The  LIT-graph  contains  an  edge  BC 
labeled  with  setBC ,  where  setBC  is  the  set  of  all  agents  A  such  that  TA  (A ,  B ,  C )  is  true, 
(b)  The  union  of  setBC  and  setCB  must  be  the  universal  set. 
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setBC ,  and  an  agent  M  that  is  a  non-descendent  of  B  in  the  name  space  must  belong  to  setCB  ■ 

□ 


4.7 2.  Duality 

It  may  be  observed  that  Theorems  4.11  and  4.12  are  identical  except  that  the  sets  in 
Theorem  4.1 1  are  the  labels  in  a  LIT-graph  whereas  the  sets  in  Theorem  4.12  are  the  labels  in  a 
LRT-graph.  The  difference  in  the  computations  of  labels  in  a  LIT-graph  and  those  in  a  LRT- 
graph  is  that,  in  a  LIT-graph,  a  label  setBC  contains  the  agents  A  such  that  Ta(A ,  B ,  C)  -  true. 
In  a  LRT-graph,  a  label  setBC  contains  the  agents  A  such  that  TA(C ,  B ,  A)  =  true.  Thus,  the 
conditions  for  synthesizing  name  spaces  for  the  cases  of  iterative  and  recursive  channel  compo¬ 
sition  are  identical  except  for  the  fact  that  the  last  and  the  first  arguments  to  the  trust  predicates 
are  interchanged.  These  results  are  summarized  in  the  following  theorem: 

Theorem  4.13  (General  Duality  Theorem):  Any  algorithm  that  synthesizes  name  spaces  from 
LIT-graphs  is  also  an  algorithm  for  synthesizing  name  spaces  from  LRT-graphs,  and  vice  versa. 
Any  algorithm  that  synthesizes  name  spaces  for  3-agent  trust  specifications  combined  with 
iterative  channel  composition  becomes  an  algorithm  for  synthesizing  name  spaces  for  3-agent 
trust  specifications  combined  with  recursive  channel  composition  if  the  roles  of  the  first  and  the 
last  arguments  to  the  trust  specifications  are  interchanged,  and  vice  versa. 

□ 


Figure  4.21:  LRT-graph  representation  for  3-agent  trust  specifications  combined  with  re¬ 
cursive  channel  composition,  (a)  The  LRT-graph  contains  an  edge  BC  labeled  with 
setBC ,  where  setBC  is  the  set  of  all  agents  A  such  that  TA  (C ,  B ,  A )  is  true,  (b)  The  union 
of  setBC  and  setCB  must  be  the  universal  set. 
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As  a  consequence  of  Theorem  4.13,  we  can  limit  ourselves  to  developing  name  space  syn¬ 
thesis  algorithms  only  for  3-agent  trust  specifications  plus  iterative  channel  composition. 

4.8.  Name  Space  Synthesis  Given  Three-Agent  Trusts  and  Iterative  Composition 

This  section  gives  an  algorithm  for  synthesizing  name  spaces  for  3-agent  trust 
specifications  plus  iterative  channel  composition.  The  algorithm  takes  a  LIT-graph  as  input, 
and  outputs  a  name  space  satisfying  the  trust  specifications  represented  by  the  LIT-graph,  if 
such  a  name  space  exists. 

4.8.1.  The  Synthesis  Algorithm 

The  algorithm  employs  a  dynamic  programming  technique  to  synthesize  the  name  space. 
Since  the  algorithm  is  quite  involved,  for  ease  of  understanding,  we  will  describe  it  in  a 
bottom-up  fashion  with  the  help  of  an  example. 

Algorithm  4.3 

Let  us  assume  that  there  are  n  agents  l  lt  l2, ....  /„  to  be  named  in  the  name  space.  /j,  l2, 
....  /„  must  occur  as  leaf  nodes  in  the  name  space.  Let  us  assume  that,  out  of  these  n  agents, 
there  are  m  agents  ilt  i2,  ....  im  that  can  serve  as  name  servers,  i.e.,  as  internal  nodes  in  the 
name  space  (see  Figure  4.22).  Whether  an  agent  can  serve  as  a  name  server  or  not  is  the  choice 
of  the  agent;  hence  m  is  determined  by  the  number  of  agents  willing  to  serve  as  name  servers. 

There  are  at  most  n  steps  in  the  algorithm.  At  each  step  there  are  m  trees,  each  tree 
rooted  at  a  different  internal  node. 

Step  1;  In  the  first  step,  m  trees  are  constructed.  Each  tree  has  a  different  internal  node  as  its 
root  and  as  many  leaf  nodes  as  possible  as  the  children  of  the  root.  A  leaf  node  has  no  descen- 
dents,  and  all  nodes  are  its  non-descendents.  By  Theorem  4.11,  a  leaf  node  lB  can  become  a 
child  of  an  internal  node  ic  if  and  only  if  the  edge  CB  in  the  input  LIT-graph  is  labeled  by  the 
universal  set  (see  Figure  4.23). 

In  the  example,  let  /  {,  l2  and  Z3  become  the  children  of  ih  l4,  l5  and  l6  become  the  chil¬ 
dren  of  i2,  /7,  /8  and  l9  become  the  children  of  i3,  and  / 10,  In  and  / 12  become  the  children  of  i4 
(see  Figure  4.24). 

This  concludes  step  1. 

Let  us  assume  we  have  carried  out  k  steps,  at  the  end  of  which  there  are  m  trees,  tk,  t2k, 
...,  tmk  rooted  at  internal  nodes  ix,  i2,  ...,  im,  respectively  (see  Figure  4.25(a)).  Let  us  further 
assume  that  the  algorithm  does  not  meet  any  of  the  termination  conditions  to  be  presented  later 


il  i  2  im 

Internal  Nodes 


ll  1  2 

Leaf  Nodes 


Figure  4.22:  Internal  nodes  and  leaf  nodes  for  name  space  design  example 
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Id 

Set  must  be  the  universal  set 
CB 

Figure  4.23:  Node  lB  becomes  a  child  of  ic  if  and  only  if  setCB  is  the  universal  set 


Figure  4.24:  Trees  at  the  end  of  step  1  of  Algorithm  4.3  for  the  example 


in  this  section.  (For  clarity  and  ease  of  understanding,  the  termination  conditions  are  presented 
at  the  end  of  the  description  of  the  k+ Ith  step.)  The  (k+\)‘h  step  of  the  algorithm  is  carried  out 
as  follows. 

Step  k+1:  We  construct  m  trees  r,*+1,  r2*+1,  ....  tmk+l  in  m  substeps  substep  (txk+x), 
substep (t2k+l),  substep  (tmk+l),  respectively  (see  Figure  4.25(b)).  Each  of  these  substeps 
starts  from  the  end  of  step  k ,  and  hence  they  can  all  be  carried  out  in  parallel.  We  will  describe 
substep  (txk+l),  which  consists  of  constructing  r1*+1;  the  other  substeps  are  very  similar. 

Substep(t1k+1):  Tree  1 1(*+1)  rooted  at  ix  is  constructed  by  attaching  each  of  t2k,  t3k, ....  tmk  as  a 
subtree  of  t  k ,  directly  under  t  x ’s  root  i  x.  Effectively,  we  are  proposing  the  m- 1  new  indepen¬ 
dent  channels  ix-i2,  jH3,  and  t  x-im  (see  Figure  4.25(b-l)).  The  procedure  for  attaching  t2 
to  rf  as  a  subtree  is  called  attachment  (jtx,t2),  and  is  described  next  The  procedures 

attachment (t\,t$), ...  attachment (t\ ,  tk)  for  attaching  r3* . tmk  respectively  to  txk  are  very 

similar,  and  can  be  obtained  by  modifying  in  the  obvious  way  the  one  to  be  described. 

Attachment^*,  tk):  When  t2  is  attached  as  a  subtree  of  t\ ,  root  i2  of  t2  becomes  a  child  of 
root  i  i  of  t * .  The  nodes  in  f(  and  t2  must  now  satisfy  the  trust  relationships  represented  by  the 
input  LIT-graph.  The  following  tests  check  if  the  nodes  satisfy  the  required  trust  relationships, 
and  eliminate  the  nodes  that  do  not  (see  Figure  4.26): 

(Tl):  Each  node  in  t2  is  a  descendent  of  i2.  By  Theorem  4.11,  each  node  in  t2  must 
belong  to  set2x  in  the  input  LIT-graph.  Nodes  that  do  not  satisfy  this  condition  must  be 
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Figure  4.25:  Illustration  of  step  £+1  of  the  name  space  design  algorithm,  (a)  Trees  at  the 
end  of  step  k.  (b)  Step  £+1  consists  of  substeps  substep  (t  ik+l),  substep  (t2k+1),  .... 
substep  (tmk+l).  Each  of  these  substeps  starts  from  (a),  and  hence  they  can  all  be  carried 
out  in  parallel,  (b-1)  Substep  (t  1i+1),  consisting  of  attachments  attachment  (t\  ,t2),  ... 
attachment (t\,tk)  that  attach  all  other  trees  to  t\ ,  (b-2)  Substep  (t^1),  consisting  of  at¬ 
tachments  attachment  (t2,t\),...  attachment  (t2 ,  tk)  that  attach  all  other  trees  to  t2. 


deleted  from  t2 .  The  deletion  of  a  node  from  a  tree  is  described  by  Algorithm  4.4  in  the 


next  section,  and  may  not  always  be  possible.  Thus,  if  a  node  in  r2  that  does  not  belong 
to  set 2 1  cannot  be  deleted  from  r2,  cannot  be  attached  as  a  subtree  of  t\ ,  tests  T2  and 
T3  are  skipped,  and  attachment (t\ ,  t\)  terminates. 

(T2):  After  test  Tl,  each  node  that  is  not  in  r2  will  be  a  non-descendent  of  i2  in  the  final 
tree,  and,  by  Theorem  4.11,  such  a  node  must  belong  to  setl2-  If  this  is  not  satisfied,  t\ 
cannot  be  attached  as  a  subtree  of  t\,  test  T3  is  skipped,  and  attachment  {t\,  r2)  ter¬ 
minates. 

(T3):  After  tests  Tl  and  T2,  if  a  leaf  node  lD  occurs  in  both  t\  and  r2 ,  one  of  the  two 
duplicates  of  Ip  must  be  eliminated  (see  Figure  4.26).  If  lD  e  set 21,  deletion  of  lD  from  t \ 
becomes  permissible  if  the  node  deletion  algorithm,  Algorithm  4.4  returns  success.  If  /p  e 
set  12,  deletion  of  lD  from  r2  becomes  permissible  if  Algorithm  4.4  returns  success.  If 
deletion  of  /p  from  either  t\  or  r2  becomes  permissible,  the  choice  of  the  tree  from  which 
it  is  to  be  deleted  can  be  made  arbitrarily.  That  this  choice  will  have  no  effect  on  subse¬ 
quent  attachments  is  shown  in  Section  4.8.3.  If,  on  the  other  hand,  the  deletion  of  /n  from 
either  r2  or  t\  is  not  permissible,  f2  cannot  be  attached  as  a  subtree  of  t\,  and 
attachment  (rf ,  1 2)  terminates. 

After  attachment  (t\ ,  r2 ),  the  succeeding  attachments  are,  in  order, 
attachment^ * ,  r*), ....  attachment^ ,  /*). 

The  sequence: 

{attachment^  * ,  r2) . attachment(r  \ ,  r* )} 

forms  substep(t\+l )  (see  subfigure  b- 1  of  Figure  4.25). 

The  sequence: 
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{substep(f  *+1 ),  substep(f2+1 ) . substep(r*+1)} 

fonns  step  k+ 1  (see  Figure  4.25). 

The  algorithm  terminates  at  the  end  of  the  k+l,h  step  if  any  of  the  following  conditions 
are  satisfied: 

(1)  At  least  one  of  f1*+1,  t2k+1 , ....  tmk+l  contains  all  the  leaf  nodes  lx,  l2,  ....  l„ •  One  of 
tkJrX,  t2k+x, ...,  tmk+l  that  has  all  the  leaf  nodes  is  output  as  the  name  space. 

(2)  tf*1,  t2k+l . tmk+l  are  identical  to  t{k,  t2  . tmk  respectively.  In  this  case,  further 

steps  will  not  yield  any  new  trees,  and  no  name  space  exists. 

This  concludes  step  k+ 1  of  Algorithm  4.3.  If  none  of  the  termination  conditions  are  satisfied, 
the  algorithm  proceeds  to  step  k+2,  without  regard  for  the  value  of  k.  However,  in  Theorem 
4.16,  we  will  show  that  there  can  be  at  most  m  steps  in  the  Algorithm. 

□ 


4.8.2.  Leaf  Node  Deletion  Algorithm 

Nodes  that  do  not  satisfy  tests  Tl,  T2  or  T3  during  an  attachment  must  be  deleted  from 
their  respective  trees.  In  this  section,  we  present  the  algorithm  for  deleting  a  node  from  a  tree. 
Note  that  the  deletion  of  a  node  from  a  tree  is  not  always  possible. 

Algorithm  4.4 

Consider  an  attachment  such  as  attachment (t\ ,  t2),  in  which  a  leaf  node  such  as  lD  is  to 
be  deleted  from  tk  (see  Figure  4.26).  When  Ip  is  in  tk2,  lD  is  a  descendent  of  all  the  nodes  that 
are  in  the  path  from  the  root  i2  of  t2  to  /D  and  a  non-descendent  of  all  other  nodes  in  t2 .  For 
each  link  C-B  in  the  path  from  i2  to  Ip ,  Ip  is  a  descendent  of  B ,  and  hence,  by  Theorem  4.11, 
lD  e  setBC.  When  lD  is  deleted  from  t\,  lD  becomes  a  non-descendent  of  all  nodes  in  t2  \  Ip  is 
then  a  non-descendent  of  B  (see  Figure  4.27),  and  hence  by  Theorem  4.1 1,  lD  e  setCB ,  Thus,  it 
is  permissible  to  delete  lD  from  t2  only  if,  for  all  links  C-B  in  the  path  from  the  root  i2  to  lD , 
lD  e  setcs  • 

This  completes  the  description  of  Algorithm  4.4. 

□ 


To  further  visualize  the  effect  of  deletion  (see  Figure  4.27),  notice  that,  when  Ip  is  in  t2 , 
for  each  link  C-B  in  the  path  from  root  i2  to  lD,  Ip  reaches  ic  through  iB ,  and  hence  TA  (lD , 
iB ,  ic )  is  true.  When  lD  is  deleted  from  t2 ,  it  has  to  reach  iB  through  ic ,  and  hence  TA  (lD ,  ic , 
iB )  must  be  true.  Recall  that  deletion  is  only  to  be  done  when  there  are  duplications.  Thus, 
deletion  of  lD  from  t2  will  not  cause  the  disappearance  of  lD  from  the  global  forest  at  level  k . 

4.8.3.  Independence  Properties  of  Duplicate  Elimination  in  Algorithm  4.3 

Test  T3  in  an  attachment  performs  deletion  of  duplicate  nodes.  If  the  deletion  of  a  dupli¬ 
cate  node  from  either  of  the  trees  involved  in  an  attachment  is  permissible,  a  question  may  arise 
as  to  whether  the  choice  will  have  any  effect  on  subsequent  attachments.  Suppose  that  the 
choice  does  have  an  effect.  In  order  to  find  a  name  space  if  one  exists,  Algorithm  4.3  would 
have  to  exhaust  the  entire  choice  space,  and  hence  would  have  to  backtrack  if  it  fails  to  find  a 
name  space  tree.  Consequently,  Algorithm  4.3  would  become  very  cumbersome. 


Figure  4.27:  Effect  of  deleting  node  lD  from  tree  r*+1  •  For  each  link  C~B  in  *e  Path 
from  the  root  i2  to  lD ,  (a)  prior  to  deletion  when  lD  is  in  t2+1 ,  Ip  is  a  descendent  of  iB , 
and  (b)  after  deletion,  lD  is  a  non-descendent  of  iB . 


Fortunately,  the  following  theorem  proves  that  the  choice  of  the  duplicate  for  deletion  will 
have  no  effect  whatsoever  on  subsequent  attachments,  and  thus  Algorithm  4.3  does  not  have  to 
backtrack. 

Theorem  4.14:  Suppose  that  in  an  attachment,  say  attachment  (r  *,  f*),  lD  occurs  as  a  duplicate, 
and  the  deletion  of  lD  from  either  r*  or  r*  is  permissible,  choosing  either  r*  or  f  *  for  deleting  lD 
will  have  no  effect  on  subsequent  attachments  and  hence  the  choice  between  them  can  be  arbi¬ 
trary. 

Proof:  To  maintain  uniformity  of  description  with  Algorithms  4.3  and  4.4,  we  will  consider 
attachment  i  =  attachment^* ,  t2)  for  the  purposes  of  the  proof.  The  same  proof  holds  for  any 
other  attachment. 

Let  choice  x  denote  the  deletion  of  lD  from  t\ ,  and  choice  2  denote  the  deletion  of  lD  from 
t2 .  Choice x  requires  that  the  deletion  of  lD  from  t\  be  permissible  in  Algorithm  4.4.  Hence 
choice  j  requires  that  the  following  condition  be  satisfied  (see  Figure  4.28): 

(51) :  For  each  link  F-E  in  the  path  from  i  x  to  lD ,  lD  e  setFE 

Choice  2  requires  that  the  deletion  of  lD  from  t2  be  permissible  in  Algorithm  4.4.  Hence 
choice 2  requires  that  the  following  condition  be  satisfied  (see  Figure  4.29): 

(52) :  For  each  link  C—B  in  the  path  from  i2\olD,lD  e  setCB 

Consider  the  subsequent  attachment,  namely,  attachment 2  =  attachment^* ,  f*).  Notice  that,  if 
lD  does  not  occur  in  r* ,  the  deletion  of  lD  in  attachment  x  has  no  effect  on  attachment 2.  Hence 
making  choice  x  or  choice 2  has  no  effect  on  attachment 2. 

Suppose  that  lD  does  occur  in  f  * .  lD  must  be  deleted  during  attachment 2.  The  only  effect 
that  choice  x  or  choice 2  could  possibly  have  on  attachment 2  is  on  the  deletion  of  lD  during 
attachment 2.  There  are  two  possibilities  for  the  deletion  of  lD  during  attachment  2: 
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(PI):  Deletion  of  Iq  from  t\ ,  or 
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(P2):  Deletion  of  lD  from  t2  or  depending  on  whether  attachment 2  was  preceded  by 
choice  x  or  choice  2,  respectively. 

Consider  the  possibility  PI.  If  choice  j  was  taken  during  attachment  lt  deletion  of  Id  from  r3 
during  attachment  2  is  permissible  in  Algorithm  4.4  if  (see  Figure  4.30): 

(53) :  For  each  link  H-G  in  the  path  from  i3  to  lD,  lD  £  setHG 

If  choice 2  had  been  taken  during  attachment  t,  deletion  of  lD  from  r3  during  attachment 2  is  per¬ 
missible  in  Algorithm  4.4  if  (see  Figure  4.31): 

(54) :  For  each  link  H-G  in  the  path  from  i 3  to  lD ,  lD  e  setHG 

Conditions  S3  and  S4  are  identical.  Thus,  for  possibility  PI  during  attachment2,  making 
choice  i  or  choice  2  during  attachment  i  has  no  effect  on  attachment 2. 

Now  consider  possibility  P2.  Suppose  that  choice  x  was  taken  during  attachment  x.  Dele¬ 
tion  of  Id  from  t2  during  attachment 2  is  permissible  in  Algorithm  4.4  if  (see  Figure  4.30): 

(55) :  For  each  link  C-B  in  the  path  from  i2tolD,  Id  £  setCB 

Suppose  that  choice 2  was  taken  during  attachment  j.  Deletion  of  lD  from  t\  during  attach¬ 
ment  2  is  permissible  in  Algorithm  4.4  if  (see  Figure  4.31): 

(56) :  For  each  link  F-E  in  the  path  from  i  j  to  IdJd  £  setFE 

There  is  a  difference  in  conditions  S5  and  S6.  Suppose  that  S5  is  satisfied.  Choice  \  must  have 
been  taken  during  attachment  lt  and  hence  SI  must  be  satisfied.  But  SI  is  identical  to  S6,  and 
hence  S6  is  satisfied.  Thus,  S5  =>  S6. 

Suppose  that  S6  is  satisfied.  Choice 2  must  have  been  taken  during  attachment x,  and 
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hence  S2  must  be  satisfied.  But  S2  is  identical  to  S5,  and  hence  S5  is  satisfied.  Thus,  S6  =>  S5. 

In  conclusion,  S5  <=>  S6.  Hence,  making  choice  x  or  choice  2  does  not  have  any  effect  in 
the  case  of  possibility  P2. 

This  completes  the  proof  that  making  choice  x  or  choice  2  has  no  effect  on  subsequent 
attachments,  and  hence  can  be  arbitrary.  Thus,  in  any  attachment,  if  the  deletion  of  either  of  the 
duplicates  is  possible,  the  choice  of  the  duplicate  to  be  deleted  can  be  arbitrary. 

□ 


4.8.4.  Correctness  of  Algorithm  4 3 

The  following  theorem  proves  the  correctness  of  Algorithm  4.3. 

Theorem  4.15:  If  the  channel  composition  order  is  iterative,  a  name  space  synthesized  by  Algo¬ 
rithm  4.3  satisfies  the  given  trust  specifications,  and  Algorithm  4.3  synthesizes  a  name  space  if 
one  exists  when  node  deletions  are  independent. 

Proof:  The  proof  is  by  induction  on  the  number  of  steps  in  the  algorithm.  The  induction 
hypothesis  is  as  follows: 

Induction  Hypothesis:  At  step  k,  for  all  x  from  1  through  m ,  r*  satisfies  the  given  trust  rela¬ 
tionships,  and  r*  contains  all  the  leaf  nodes  that  can  possibly  be  at  a  distance  k  or  less  from  its 
root. 

While  deriving  the  complexity  of  Algorithm  4.3  in  Theorem  4.16,  we  show  that,  if  the 
number  of  internal  nodes  is  m ,  there  can  be  at  most  m  steps  in  the  Algorithm.  Thus,  when  k  = 
m,  the  induction  hypothesis  becomes  the  theorem  itself.  Hence,  to  prove  the  theorem,  it 
suffices  to  prove  the  induction  hypothesis. 
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Base  step:  Let  k  =  1  in  the  induction  hypothesis.  For  each  x  and  y ,  Algorithm  4.3  adds  a  leaf 
node  ly  as  a  child  of  ix  only  if  set^  is  die  universal  set  Since  ly  is  a  leaf  node  and  all  other 
nodes  are  its  non-descendents,  by  Theorem  4.11  the  link  ix-ly  satisfies  the  given  trust  relation¬ 
ships.  As  this  is  true  for  all  x  and  y ,  all  the  trees  satisfy  the  given  trust  relationships.  Since 
Algorithm  4.3  tries  to  add  each  leaf  node  to  each  internal  node,  each  tree  contains  all  the  leaf 
nodes  that  can  possibly  be  at  a  distance  1  from  the  root  of  the  tree.  This  completes  the  proof  of 
the  base  step. 

Induction  step:  Let  us  assume  that  the  induction  hypothesis  is  true  fork.  We  have  to  show  that 
the  hypothesis  is  true  for  k+ 1.  We  will  give  the  proof  for  x  =  1  in  the  hypothesis.  The  same 
proof  holds  for  all  other  values  of  x . 

Consider  t\ ,  the  tree  rooted  at  i  j  at  the  end  of  step  k .  In  each  of  the  attachments  (t\ ,  r2 ), 
(r  i ,  ), ....  (r  * ,  r*),  tests  T1  and  T2  are  direct  applications  of  Theorem  4.1 1.  Hence,  they  elim¬ 

inate  all  the  nodes  that  do  not  satisfy  the  required  trust  relationships,  and  t *+1  satisfies  the  given 
trust  relationships.  This  proves  the  first  part  of  the  induction  hypothesis. 

Since  the  induction  hypothesis  is  assumed  to  be  true  for  k ,  t\  contains  all  the  leaf  nodes 
that  can  possibly  be  at  a  distance  not  exceeding  k  from  i  x.  Now  consider  a  leaf  node  lx  that  can 
possibly  be  at  a  distance  not  exceeding  k+\  in  a  tree  rooted  at  i  j.  lx  has  to  be  either  at  a  dis¬ 
tance  not  exceeding  k  or  at  a  distance  of  k+l.  If  lx  is  at  a  distance  not  exceeding  k,  it  must  be 
present  in  ,  and  hence  it  will  be  present  in  1 *+1 .  If  4  is  at  a  distance  of  k+\  from  i  h  it  must 
be  at  a  distance  k  from  some  child  t2  of  i  j.  By  the  induction  hypothesis  the  tree  r2  at  step  k 
contains  all  nodes  that  can  possibly  be  at  a  distance  not  exceeding  k,  and  hence  contains  lx. 
During  attachment^ \ ,  r2)  of  step  k+l.  Algorithm  4.3  attaches  f*  as  a  subtree  of  t\ ,  and,  when 
node  deletions  are  independent,  lx  becomes  part  of  f*+1  at  a  distance  of  k+l  from  the  root. 
Thus,  r*+1  contains  all  the  leaf  nodes  that  can  possibly  be  at  a  distance  k+l  or  less  from  ix. 
This  completes  the  proof  of  the  induction  step  and  of  Theorem  4.15. 

In  a  name  space,  the  path  from  the  root  to  a  leaf  node  cannot  contain  duplicate  internal 
nodes.  This  is  because,  if  a  path  contains  duplicate  internal  nodes,  the  part  of  the  path  between 
the  duplicate  nodes  together  with  one  of  the  duplicate  nodes  can  be  removed  from  the  path.  For 
example,  suppose  that  a  path  contains  the  sequence  i  lt  i2,  ....  ix,  and  ix,  in  which  there  is  a 
duplication  of  i  x.  The  nodes  ix,  i2, ....  ix  can  be  deleted  from  the  path,  eliminating  the  duplica¬ 
tion.  Thus,  in  a  name  space,  the  path  from  the  root  to  any  leaf  can  contain  at  most  all  the  m 
internal  nodes  (including  the  root).  Therefore,  each  leaf  node  must  be  at  a  distance  m  or  less 
from  the  root  But  notice  that,  when  k  =  m ,  the  induction  hypothesis  that  we  proved  above 
becomes  the  theorem  itself,  and  hence  each  tree  at  step  m  contains  all  the  leaf  nodes  that  can 
possibly  be  at  a  distance  m  or  less  from  the  root.  Thus,  if  a  name  space  exists,  there  will  be  a 
tree  containing  all  agents  as  leaf  nodes  at  the  end  of  step  m  of  Algorithm  4.3.  Hence,  Algo¬ 
rithm  4.3  synthesizes  a  name  space  if  one  exists. 

This  completes  the  proof  of  Theorem  4.15. 

□ 


4.8 .5.  Complexity  of  Algorithm  4  J 

At  step  S  of  Algorithm  4.3,  to  each  tree  all  the  nodes  that  can  possibly  be  at  distance  not 
exceeding  S  from  the  root  of  the  tree  are  added  to  the  tree.  Since  there  are  at  most  m  internal 
nodes,  a  leaf  node  can  at  most  be  at  a  distance  of  m  from  the  root  of  the  name  space.  Thus, 
Algorithm  4.3  synthesizes  a  name  space  if  one  exists  in  at  most  m  steps,  and  hence  there  are  at 
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most  m  steps  in  Algorithm  4.3. 

Each  step  of  the  algorithm  consists  of  m  substeps.  Each  substep  consists  of  m- 1  attach¬ 
ments.  Thus,  at  each  step  there  are  0(m2)  attachments,  and  there  are  at  most  0(m3)  attach¬ 
ments  in  the  algorithm. 

In  each  attachment,  tests  Tl,  T2  and  T3  are  executed  once  for  each  leaf  node  in  the  tree 
being  attached,  and  hence  they  are  executed  at  most  n  times.  Tl  and  T3  each  consist  of  node 
deletion,  and  each  deletion  involves  testing  O(n)  trust  relationships  and  hence  takes  0(n)  time. 
T2  consists  of  checking  one  trust  relationship  per  leaf  node  and  hence  takes  O (n)  time.  Thus 
each  attachment  takes  O (n2)  time  at  worst.  These  results  are  summarized  in  the  following 
theorem: 

Theorem  4.16:  If  m  is  the  number  of  internal  nodes  and  n  the  number  of  leaf  nodes,  there  can 
be  at  most  m  steps  in  Algorithm  4.3,  and  the  worst  case  complexity  of  Algorithm  4.3  is 
O  (mV). 

□ 


When  O(m)  =  O(n),  by  Theorem  4.16,  the  worst  case  complexity  of  Algorithm  4.3  is 
0(n5). 

Theorem  4.9,  together  with  the  observation  that  the  problem  of  designing  a  name  space 
given  3-agent  trust  specifications  is  the  general  case  of  which  the  problems  of  designing  a  name 
space  given  2-agent  trust  specifications  are  special  cases,  yields  that  putting  an  upper  bound  on 
the  children  of  each  node  in  the  name  space  for  3-agent  trust  specifications  is  NP-complete. 
This  is  summarized  in  the  following  theorem: 

Theorem  4.17:  Given  3-agent  trust  specifications  and  either  iterative  or  recursive  channel  com¬ 
position,  the  problem  of  designing  a  name  space  with  an  upper  bound  on  the  number  of  children 
of  each  node  is  NP-complete. 

□ 


4.9.  An  Example 

The  name  space  design  algorithms  described  in  this  chapter  have  been  implemented  and 
experimented  with.  Figure  4.32  shows  the  name  space  synthesized  by  Algorithm  4.3  from  a 
sample  set  of  tmst  specifications.  The  trust  specifications  are  enumerated  in  Appendix  1.  Only 
the  internal  nodes  of  the  name  space  are  shown:  each  node  is  assumed  to  have  leaf  nodes 
corresponding  to  the  employees  of  the  organization  labeling  the  node. 

The  mist  specifications  were  then  changed  and  the  name  space  was  reconstructed  using 
Algorithm  1.  The  changes  in  tmst  specifications  were  that,  the  tmst  relationships  in  which 
agents  tmst  ibm  for  ibm-j  and  vice-versa  were  replaced  by  tmst  relationships  in  which  agents 
tmst  ibm  for  sony—usa  and  vice-versa.  Figure  4.33  shows  the  reconstructed  name  space. 

The  two  name  spaces  are  quite  different,  even  though  the  difference  in  their  tmst 
specifications  is  not  significant  Thus,  small  changes  in  tmst  relationships  can  cause  substantial 
differences  in  the  name  space  configuration.  This  shows  that  tmst  relationships  can  have 
significant  effects  on  the  structure  of  a  name  space.  Name  space  design  that  takes  into  account 
such  non-trivial  effects  is  too  complicated  to  be  carried  out  by  manual  trial-and-error  methods 
for  a  large  distributed  system.  Thus,  the  algorithms  described  in  this  chapter  are  useful  for 
designing  real  distributed  systems. 
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Figure  4.32:  Name  space  for  a  sample  set  of  trust  specifications 


specifications. 


4.10.  Conclusion 

In  a  distributed  system,  it  is  desirable  to  have  a  tree  of  independent  channels.  A  tree  of 
independent  channels  iso  represents  a  global  name  space.  There  are  two  channel  composition 
orders,  namely,  iterative  and  recursive .  Iterative  and  recursive  channel  compositions  require 
different  trusts  and  are  duals  of  each  other.  As  one  of  the  most  important  applications  of  a  for¬ 
mal  theory  of  trust,  we  have  developed  polynomial-time  algorithms  for  synthesizing  name 
spaces  so  that,  given  a  channel  composition  order  and  the  trust  relationships  of  agents,  channel 
composition  between  any  two  agents  requires  only  a  subset  of  the  given  set  of  trust  relation¬ 
ships.  The  trust  relationships  are  in  general  functions  of  three  agents,  but  can  also  be  functions 
of  two  agents,  in  which  case  the  algorithms  are  simpler.  Each  node  in  the  name  space  has  to 
store  the  database  of  public  keys  of  its  children,  and  hence  it  is  desirable  to  put  an  upper  bound 
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on  the  size  of  this  database.  However,  this  problem  is  NP-complete.  Sample  runs  of  the  name 
space  design  algorithms  show  that  small  differences  in  trust  relationships  can  cause  substantial 
differences  in  name  spaces,  thus  demonstrating  that  trust  relationships  can  have  a  significant 
effect  on  the  structure  of  a  name  space.  Design  of  a  name  space  that  takes  into  account  the 
non-trivial  effects  of  trust  relationships  is  too  complicated  to  be  done  by  manual  trial-and-error 
methods  for  a  real  distributed  system  (especially  a  VLDS),  from  which  we  can  infer  the  practi¬ 
cal  utility  of  the  algorithms  described  in  this  chapter. 


CHAPTER  5 


TRADING  TRUST  REQUIREMENTS  FOR  PERFORMANCE 


No  synthesis  is  complete  without  performance  considerations.  Under  some  conditions,  to 
improve  performance  of  channel  establishment  mechanisms,  we  may  accept  to  increase  their 
trust  requirements.  If  channel  composition  is  PKE-based,  slightly  increasing  the  trust  require¬ 
ments  allows  agent-to-agent  channels  to  be  built  on  top  of  host-to-host  channels.  Only  the 
host-to-host  channels  need  be  established  over  the  network,  and  this  approach  can  greatly 
increase  the  performance  of  agent-to-agent  secure  communication  with  respect  to  that  of  estab¬ 
lishing  agent-to-agent  channels  directly.  The  accompanying  increase  in  trust  requirements  is 
still  always  a  subset  of  the  set  of  trust  specifications  from  which  the  system’s  name  space  has 
been  synthesized.  However,  if  channel  composition  is  SKE-based,  this  approach  requires  glo¬ 
bal  trusts,  which  may  not  be  satisfied  in  the  name  space.  The  protocol  for  establishing  host-to- 
host  channels  can  be  handled  at  the  subtransport  level  of  the  network  protocol  hierarchy.  A  pro¬ 
totype  of  the  subtransport-level  channel  establishment  protocol  has  been  implemented  on  Sun 
3/50  workstations  connected  by  a  10  Mb/s  Ethernet.  Experimental  measurements  confirm  that 
both  the  average  latency  of  messages  and  the  maximum  throughput  improve  substantially  when, 
instead  of  establishing  agent-to-agent  channels  directly,  host-to-host  channels  are  established, 
and  agent-to-agent  channels  are  built  on  top  of  host-to-host  channels.  These  improvements  are 
primarily  due  both  to  the  sharp  decrease  in  the  number  of  channel  establishment  operations 
across  the  network  and  to  piggybacking  of  messages  from  several  agent-to-agent  channels  on  to 
a  single  host-to-host  channel  message. 

5.1.  Introduction 

In  Chapter  3,  protocols  for  PKE-  and  SKE-based  channel  composition  were  analyzed  for 
their  trust  requirements,  and  it  was  shown  that  PKE-based  channel  composition  has  much 
smaller  trust  requirements.  In  the  previous  chapter,  we  showed  how  to  construct  PKE-based 
name  spaces  given  the  trust  relationships  of  all  the  agents  sharing  the  distributed  system.  When 
a  new  channel,  say  channel(A,-,  Ak ),  is  established  using  a  PKE-based  name  space,  Ax  obtains 
the  public  key  of  Ak.  Authentication  of  a  message  from  Ak  to  A,-  on  channeKA,- ,  Ak)  is  pro¬ 
vided  by  encrypting  the  message  with  Ak ’s  private  key.  Privacy  of  a  message  from  A,  to  Ak  on 
channel(A,  ,Ak)  is  provided  by  encrypting  the  message  with  Ak ’s  public  key. 

However,  public  key  encryption  is  expensive  [Koc,NBS77],  An  alternative  way  would  be 
for  A,  and  Ak  to  agree  upon  a  single  key  S*  using  the  first  few  messages  on  channel(A,,  Ak), 
and  then  use  Sik  as  the  key  of  channel(A,  ,  Ak)  [Dif82,PoK79].  Authentication  of  a  message 
from  Ak  to  A,  on  channel(A;,  Ak)  would  in  this  case  be  provided  by  a  cryptographic  checksum 
computed  using  S Privacy  of  a  message  from  A,-  to  Ak  on  channel(A,-,  Ak)  is  provided  by 
encrypting  the  message  with  SA.  This  bootstrapped  PKE-based  channel  composition  protocol 
combines  the  advantages  of  PKE  and  SKE  schemes,  i.e.,  it  has  the  efficiency  of  the  SKE 
scheme  while  having  the  smaller  trust  requirements  of  the  PKE  scheme. 

The  bootstrapped  PKE-based  protocol,  even  though  it  is  much  more  efficient  than  a  pure 
PKE-based  protocol,  has  significant  performance  disadvantages  with  respect  to  protocols 
without  security  mechanisms.  Suppose  that  there  are  agents  A,- x  and  Ai2  on  a  host  HA ,  and  there 
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are  agents  AkX  and  Ak2  on  a  second  host  HB  *.  If  each  agent  on  HA  communicates  with  each 
agent  on  HB  and  vice  versa,  eight  channels  (four  bidirectional  channels)  have  to  be  established. 
Thus,  the  number  of  channels  to  be  established  in  the  worst  case  grows  quadratically  with  the 
number  of  agents  on  the  two  hosts  (see  Figure  5. 1).  Each  channel  establishment  involves  agree¬ 
ing  upon  a  single  key,  and  each  agreement  requires  a  three-way  handshake  protocol.  The  cost 
of  such  a  channel  establishment  mechanism  can  become  sufficiently  prohibitive  so  as  to  dis¬ 
suade  agents  from  using  secure  communication  channels  entirely. 

The  goal  of  this  chapter  is  to  investigate  whether  trust  relationships  can  be  traded  for  per¬ 
formance;  in  particular  we  want  to  design  a  protocol  with  substantially  improved  performance 
but  with  slightly  higher  trust  requirements.  We  will  show  how,  in  a  PKE-based  name  space,  by 
only  slightly  increasing  the  trust  requirements,  the  performance  can  be  greatly  improved,  while 
the  increased  trust  requirements  still  form  a  subset  of  the  set  of  trust  specifications  from  which 
the  name  space  has  been  synthesized.  We  will  also  show  how,  in  an  SKE-based  name  space, 
the  requisite  increase  in  trust  requirements  is  so  unacceptable  as  not  to  permit  any  practical 
increase  in  performance. 

The  performance  disadvantages  of  pure/bootstrapped  PKE-based  channel  establishment 
protocols  stem  from  the  fact  that,  for  each  pair  of  communicating  agents  on  two  hosts,  a 


Host  A  Host  B 


Figure  5.1:  Multiple  user-to-user  channels 


1  When  we  say  an  agent  is  on  a  host,  we  mean  that  a  process  belonging  to  the  agent  is  on  the  host.  Similarly,  an 
agent-to-agent  channel  between  two  agents  means  a  process-to-process  channel  between  two  processes  belonging  to 
the  two  agents. 
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separate  channel  must  be  established  across  the  network.  To  increase  the  perfonnance,  we  must 
reduce  the  number  of  channels  established  across  the  network.  In  this  chapter  we  present  a 
channel  establishment  protocol  called  Authenticated  Datagram  Protocol  (ADP)  ",  which  estab¬ 
lishes  just  one  host-to-host  channel  across  the  network  between  any  two  hosts,  and  builds 
agent-to-agent  channels  on  top  of  these  host-to-host  channels. 

The  reduction  in  the  number  of  channels  that  are  established  across  the  network  in  ADP 
comes  with  an  accompanying  increase  in  trust  requirements.  This  increase  in  trust  requirements 
consists  of  trust  relationships  involving  hosts  on  which  agents  have  processes.  In  order  effec¬ 
tively  to  describe  these  trust  relationships  involving  hosts  and  agents,  we  present  a  high  level 
model  of  process  execution  in  Section  5.2.  In  Section  5.3  we  describe  ADP,  and  in  Section  5.4 
we  derive  ADP’s  trust  requirements,  and  show  how  they  are  noticeably  higher  than  those  of  a 
pure  PKE-based  channel  establishment  protocol.  We  then  introduce  some  modifications  to 
ADP  that  substantially  reduce  its  trust  requirements  without  affecting  its  performance.  With 
these  modifications,  ADP’s  trust  requirements  become  only  slightly  higher  than  those  of  a  pure 
PKE-based  channel  establishment  protocol.  Moreover,  the  increased  trust  requirements  still 
form  a  subset  of  the  set  of  trust  specifications  from  which  the  name  space  has  been  synthesized. 
In  Section  5.5,  we  show  that,  if  an  SKE-based  name  space  is  used,  building  agent-to-agent 
channels  upon  host-to-host  channels  (as  in  ADP)  results  in  global  trust  requirements  which  may 
not  be  satisfied  in  the  name  space.  Section  5.6  defines  the  concept  of  a  trust  domain,  and  shows 
how  it  can  be  used  further  to  increase  the  performance  of  ADP.  Section  5.7  details  the  advan¬ 
tages  of  ADP  over  directly  establishing  agent-to-agent  channels  across  the  network,  and  Section 
5.8  presents  results  of  experimental  measurements  of  a  prototype  of  ADP  that  confirm  its 
expected  performance  benefits.  Finally,  Section  5.9  concludes  the  chapter. 

5.2.  A  Model  of  Process  Execution  on  Hosts 

Each  host  has  a  kernel  running  on  it.  At  any  point  in  time,  each  host  has  an  agent  that  is 
the  host’s  owner.  Host  ownership  is  established  at  boot  time,  before  network  communication 
takes  place;  it  might  be  done  manually  or  from  a  ROM.  Usually,  the  agent  who  boots  the  kernel 
on  the  host  becomes  the  host  owner.  Host  ownership  may  change  over  time,  e.g.,  as  different 
people  boot  a  public  workstation.  Each  host  has  a  (public-key,  private-key)  pair  associated  with 
it,  which  is  the  (public-key,  private-key)  pair  of  the  host  owner.  The  trust  relationships  of  a  host 
are  those  of  its  owner.  A  crash-free  period  under  a  single  host  owner  is  called  a  kernel  session. 
In  the  sequel,  we  shall  use  the  terms  “host”  and  “kernel”  interchangeably.  We  shall  also  use 
the  terms  “agent”,  “user”  and  “owner”  synonymously. 

The  host  may  support  multiple  user  processes,  each  of  which  has  an  agent  as  its  owner, 
perhaps  different  from  the  host  owner.  Processes  communicate  with  each  other  through  mes¬ 
sages.  Each  message  has  a  message  sender  field  containing  the  name  of  the  owner  of  the  send¬ 
ing  process,  and  a  message  receiver  field  containing  destination  information.  A  kernel  has 
access  to  the  private  keys  of  the  host  owner  and  of  the  owners  of  all  the  user  processes  it  has 
executed  or  is  executing. 

A  kernel  must  satisfy  some  correctness  requirements  with  regard  to  security.  There  has 
been  substantial  formal  work  in  the  area  of  kernel  security  correctness  [CGH81,Lan81,Sal74]. 
Without  going  into  formal  descriptions  of  secure  kernels,  for  the  purposes  of  discussing  how 


2  The  protocol  is  so  named  because  it  provides  message  authenticity  for  all  messages,  and  assumes  the  ex¬ 
istence  of  an  underlying  network  protocol  that  provides  at  least  a  host-to-host  datagram  service. 
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ADP  might  fit  inside  a  secure  kernel,  we  will  give  an  intuitive  set  of  conditions  that  a  secure 
kernel  must  satisfy. 

Figure  5.2  represents  our  model  for  the  organization  of  the  kernel.  It  consists  of  modules 
of  code  and  private  data.  The  passing  of  messages  between  modules  is  handled  by  a  special  ker¬ 
nel  module  called  the  message  passing  module.  The  channel  establishment  functions  are  han¬ 
dled  by  a  module  called  the  security  module.  Kernel  modules  which  handle  either  an  outgoing 
message  before  it  is  passed  to  the  security  module  or  an  incoming  message  after  it  has  been  pro¬ 
cessed  by  the  security  module  are  called  type-1  modules.  Protocol  modules  above  the  layer  at 
which  channel  establishment  mechanisms  are  handled  are  examples  of  type-1  modules.  Kernel 
modules  which  handle  either  an  outgoing  message  after  it  has  been  processed  by  the  security 
module  or  an  incoming  message  before  it  has  been  processed  by  the  security  module  are  called 
type-2  modules.  In  a  protocol  architecture  where  channel  establishment  mechanisms  are  handled 
above  the  data  link  layer,  a  network  driver  is  an  example  of  a  type-2  module.  Kernel  modules 
other  than  the  security  module,  the  message  passing  module,  the  type-1  modules,  and  the  type-2 
modules  are  called  type-3  modules.  The  private  keys  are  part  of  the  private  data  storage  of  the 
security  module.  The  security  module,  the  message  passing  module,  the  type-1  modules,  and 
the  type-2  modules  are  together  called  critical  modules. 

A  kernel  is  security-correct  if  the  following  conditions  hold: 

(1)  The  only  way  for  a  user  process  to  communicate  with  the  kernel  is  through  messages. 

(2)  When  a  user  process  sends  a  message  to  a  kernel  module,  the  message  passing  module 
sets  the  message  sender  field  to  be  the  owner  of  that  process.  Thereafter,  the  message 
passing  module  and  the  type-1  modules  do  not  change  (a)  the  message  sender  field,  or  (b) 
the  message  receiver  field,  (c)  the  data  part  of  the  message. 
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Figure  5.2:  Kernel  module  structure 


89 


(3)  The  message  passing  module  does  not  deliver  a  message  to  a  user  process  if  the  owner 
of  that  user  process  is  different  from  that  indicated  in  the  message  receiver  field. 

(4)  The  private  data  storage  of  the  security  module  is  read  or  written  by  no  other  module. 

(5)  The  security  module  executes  its  algorithms  (to  be  given  later)  correctly. 

(6)  Type-2  modules  do  not  directly  communicate  with  type-1  or  type-3  modules  or  user 
processes. 

These  conditions  were  obtained  from  intuitive  notions  of  what  a  non-malicious  kernel  should 
provide  with  respect  to  secure  communication  between  user  processes. 

When  an  agent  A,  executes  a  process  on  a  security-correct  host  HA ,  there  are  some  impli¬ 
cations  for  A,-  ’s  trust  relationships.  Since  A-t  ’s  private  key  is  accessible  to  HA ,  H A  is  assumed 
not  to  use  the  private  key  to  masquerade  as  Af  or  reveal  secret  messages  sent  to  At- ,  and  is 
assumed  not  to  reveal  the  private  key.  Thus,  a  trust  relationship  that  guarantees  the  following 
three  conditions  is  required  between  A,-  and  the  owner  of  HA : 

For  each  agent  Az  (x  *i ), 

(1)  When  Ax  receives  a  message  encrypted  with  A,  ’s  private  key,  the  message  was  not 
sent  by  HA  masquerading  as  A,- . 

(2)  When  Ax  sends  a  secret  message  encrypted  with  A,  ’s  public  key,  host  HA ,  which  can 
decrypt  this  message  with  A,  ’s  private  key,  does  nor  reveal  the  secret  message. 

(3)  Ha  does  not  reveal  At ’s  private  key  to  Ax . 

If  Aj  denotes  the  owner  of  HA ,  the  above  trust  relationship  between  A,  and  A,  can  be  formally 
expressed  using  the  key  user-possessor  trust  defined  in  Chapter  3.  The  first  aspect  of  the  trust  is 
expressed  by  message  privacy  trust,  the  second  by  trust  against  masquerading  and  the  third  by 
key  privacy  trust.  The  three  together  form  key  user-possessor  trust,  which  with  universal 
quantification  over  Ax  defines  the  Universal  Trust: 

Tu(A„  Aj)  (Universal  Trust):  Tv(AitAj)  is  true  if  and  only  ifV  Ax  x*i,  TKUP(AX,  Ay,  At)  = 
true.3 

Ty  (A, ,  Aj )  is  required  to  be  true  whenever  a  host  owned  by  Ay  has  access  to  A,  ’s  private 
key,  and  vice  versa. 

Universal  trust  is  transitive,  as  shown  by  the  following  theorem: 

Theorem  5.1  (Transitivity  Theorem):  For  all  agents  Ait  A}  and  Ak,  if  Tu(Ai,  Ay)  =  true  and 
Tv (Aj ,  Ak)  =  true,  then  Tv (A,- ,  Ak )  =  true. 

Proof:  The  proof  is  fairly  simple. 

Since  TyiA, ,  Ay)  =  true ,  a  host  Hj  owned  by  Ay  has  access  to  A; ’s  private  key  in  Hj  ’s 
storage.  (5-1) 

Since  Tv  (Ay  ,Ak)  =  true ,  a  host  Hk  owned  by  Ak  has  access  to  Ay ’s  private  key.  With  Ay ’s 
private  key  in  its  possession,  Hk  has  access  to  all  of  Hj ’s  storage.  (5.2) 


3  T/cup(Ax<  Aj,AA  is  trivially  true  for  x=j . 
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By  (5.1)  and  (5.2),  Hk  has  access  to  At ’s  private  key.  Thus  Tv(Ai ,  Ak)  must  be  true. 


□ 


If  we  view  the  universal  trust  as  a  binary  relation  on  agents,  we  can  define  a  set  of  agents, 
denoted  by  key-closure,  as  the  following  union  of  transitive  closures  of  the  universal  trust. 

key-closure(Ai):  Union  of  the  transitive  closures  of  Tv  (At ,  Ay )  for  all  Ay . 

Key-closure (A; )  will  contain  the  owners  of  all  hosts  that  have  access  to  At ’s  private  key. 

5 3.  The  Authenticated  Datagram  Protocol 

ADP  [AnV87]  is  a  host-to-host  channel  establishment  protocol,  and  hence  is  handled  at 
the  subtransport  level  of  a  network  protocol  hierarchy  [AFV87c].  ADP  has  been  designed  and 
implemented  [AFV87b]  as  part  of  DASH,  an  experimental  distributed  operating  system 
[AFV87a]  being  designed  at  the  University  of  California  at  Berkeley. 

DASH  is  an  open  system  in  which  many  transport-level  protocols  [Tan81,Tan88],  both 
stream-oriented  and  request/reply,  may  exist.  The  clients  of  ADP  are  kernel-level  transport  pro¬ 
tocol  modules,  and  ADP  in  turn  is  a  client  of  multiple  networic-level  services  that  provide  at 
least  a  host-to-host  datagram  service  [Tan81,Tan88]  (see  Figure  5.3). 

ADP  maintains  two  kinds  of  channels,  host-to-host  channels  and  agent-to-agent  channels, 
with  the  latter  being  built  on  top  of  the  former.  Host-to-host  channels  are  also  called  ADP 
channels.  A  summary  description  of  ADP’s  operation,  as  it  would  be  carried  out  between  two 
hosts  Ha  and  HB ,  is  as  follows.  The  two  hosts  establish  an  ADP  channel  using  a  bootstrapped 
PKE-based  channel  composition  protocol.  No  agent-specific  channels  are  established  across  the 
network  -  all  user  messages  between  HA  and  Hg  are  sent  on  the  ADP  channel  between  them. 
This  reduces  the  worst  case  channel  establishment  overhead  from  being  a  quadratic  function  of 
the  number  of  users  to  being  a  constant  factor.  HA  and  Hg  build  agent-to-agent  channels  upon 
their  ADP  channel  by  sending  to  each  other  the  PKE-based  certificates  [Akl83,  Den84b] 
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Figure  5.3:  Position  of  ADP  in  the  ISO/OSI  model  of  network  architecture 
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(described  below)  of  their  respective  users.  The  two  hosts  cache  the  PKE-based  certificates  sent 
and  received,  thereby  reducing  the  overhead  of  building  agent-to-agent  channels  over  their  ADP 
channel. 

5.3.1.  ADP  Channels 

ADP  establishes  an  ADP  channel  between  two  hosts  HA  and  HB  when  they  communicate 
for  the  first  time,  and  thereafter  the  channel  continues  to  exist  until  one  of  the  hosts  fails.  The 
protocol  for  channel  establishment  consists  of  the  following  steps  (see  Figures  5.4  and  5.5): 

(1)  Ha  sends  an  ADP  channel  request  message  to  HB .  This  message  contains  two  random 
strings  S  and  T.  S  is  encrypted  with  HB ’s  public  key  for  privacy.  T  may  be  sent  in  clear¬ 
text.  The  entire  message  is  cryptographically  checksummed  with  HA  ’s  private  key  for 
authenticity  [Akl,  Den84a].  S  will  be  used  as  the  single  key  of  the  ADP  channel  between 
Ha  and  Hb  ,  and  T  will  be  used  for  certificates  from  HB  to  HA . 

(2)  Hb  sends  an  ADP  channel  acknowledgement  message  containing  a  random  string  R  to 
be  used  for  certificates  from  HA  to  Ha .  The  first  certificate  sent  from  HA  to  HB  serves  to 
complete  a  three-way  handshake  for  the  ADP  channel  establishment.  If  both  HA  and  HB 
simultaneously  try  to  establish  an  ADP  channel  to  each  other,  the  host  with  the  lexico¬ 
graphically  greater  name  determines  the  channel  key  S . 

In  Section  5.4,  we  derive  the  trust  requirements  necessary  if  this  protocol  is  to  result  in  the 
establishment  of  a  host-to-host  channel  HA  -HB ,  i.e.,  channeK//^ ,  HB )  and  channel(//B ,  HA ). 

533,.  Sending  Certificates  of  Agents 

If  A*  is  an  agent,  we  say  that  Ak  is  certified  from  HB  to  HA  if  HB  sends  the  string  [HB , 
R },  which  is  a  concatenation  of  the  name  HB  and  the  random  number  R  specified  by  HA , 
encrypted  with  Ak ’s  private  key  on  the  ADP  channel  between  HA  and  HB  (see  Figure  5.6). 
When  Ha  receives  the  certificate,  HA  decrypts  it  with  Ak ’s  public  key,  and  compares  the  result 
with  [Hb  ,  R  }.  In  Section  5.4,  we  derive  the  trust  requirements  necessary  if  the  certification  of 
Ak  from  Hb  to  Ha  is  to  result  in  the  establishment  of  channel^* ,  Ak),  for  all  agents  Ax  having 
processes  on  HA . 

The  sending  of  Ak ’s  certificate  from  HB  to  HA  is  normally  done  only  once  on  an  ADP 
channel.  HA  and  HB  both  maintain  identical  tables  of  agents  that  have  been  certified  from  HB 
to  Ha  ,  and  separate  tables  for  agents  certified  in  the  reverse  direction  (see  Figure  5.7).  This 
caching  of  certificates  means  that  expensive  PKE-based  encryption  is  done  only  once  per  agent 
per  host  per  ADP  channel. 

5 3  .3.  Messages  on  an  ADP  Channel 

Three  levels  of  messages  must  be  distinguished  (Figure  5.2): 

Client  messages  are  the  messages  read  or  written  by  clients  of  ADP. 

ADP  messages  are  a  logical  unit  of  exchange  between  ADP  instances  on  different  hosts.  An 
ADP  message  consists  of  a  header  followed  by  one  or  more  items,  each  of  which  may  be  1)  a 
client  message;  2)  an  agent’s  certificate  or  a  request  for  an  agent’s  certificate;  3)  a  request  to 
establish  a  ADP  channel,  or  the  acknowledgement  of  such  of  a  request;  4)  a  request  to  change 
the  key  of  a  ADP  channel. 

Network  messages :  the  network  facility  underlying  ADP  is  assumed  to  provide  an  insecure  and 
unreliable  datagram  service.  If  the  size  of  an  ADP  message  exceeds  the  maximum  size  allowed 
by  the  network  layer  beneath  ADP,  ADP  divides  the  ADP  message  into  multiple  network 


92 


Host  A  Host  B 


Figure  5.4:  Hosts  HA  and  HB  just  before  establishing  an  ADP  channel 


Host  A  Host  B 


msg-l 


msg-2 

< - 

Figure  5.5:  Establishment  of  an  ADP  channel  between  HA  and  HB .  HA  sends  the  channel 
request  msg  i  consisting  of  the  doubly  encrypted  channel  key  S  (encrypted  first  with  H A ’s 
private  key  and  then  with  HB  ’s  public  key)  and  a  random  number  T .  HB  sends  the  chan¬ 
nel  reply  msg  2,  consisting  of  a  random  number  . 


93 


Host  A  Host  B 


user  ( 

0 

(^Ak^  user 

kernel 

kernel 

ADP 

Ak  <t—  authenticated 

agents 

QZ 

ZD  ADP 

Remote  ,  . 
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msg-3 
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Figure  5.6:  Certification  of  agents*  from  Ha  to  HA .  HB  sends  a  certificate  msg-$  consist¬ 
ing  of  the  string  [HB ,  T }  encrypted  with  Ak ’s  private  key. 


messages. 

5J.4.  The  ADP  Client  Interface 

Message  addressing  is  done  on  the  basis  of  network-dependent  host  addresses  and,  on  a 
particular  host,  multiple  ports.  Ports  have  identifiers  (port  ID’s)  that  are  guaranteed  to  be 
unique  on  a  given  host  between  crashes.  ADP  clients  inform  ADP  that  messages  can  be 
delivered  to  the  given  port  using 

register_port ( 

port_ID  port,  //  the  port  being  registered 
char  *local_agent,  //  agent  associated  with  the  port 
) ; 

where  local _agent  is  an  agent  whose  private  key  is  known  to  the  host.  ADP  may  then  deliver 
messages  to  the  port.  Each  message  is  prepended  with  the  name  of  its  sender.  Clients  of  ADP 
can  send  messages  using 
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Figure  5.7:  Certification  of  agent  A*  from  HA  to  HB.  HA  sends  a  certificate  msg4  consist¬ 
ing  of  the  string  [HA ,  R  }  encrypted  with  A,-  ’s  private  key. 


ADP_send ( 

MESSAGE  *msg,  / / 

char  *local_agent, 
char  *remote_host , 
char  *remote_j?ort, 
char  *remote_agent , 
BOOLEAN  privacy, // 
int  max_delay  // 


the  message  being  sent 
//  name  of  sender 
//  destination  host  name 
//  destination  port  ID 
//  name  of  recipient 
whether  message  is  private 
maximum  local  queueing  delay 


The  remote_agent  argument  is  used  only  if  privacy  is  true;  in  this  case  ADP  will  obtain  a 
certificate  of  the  agent  on  the  remote  host  before  sending  the  message.  The  max_delay  parame¬ 
ter  is  a  time  interval  (in  microseconds)  for  which  this  message  can  be  queued  locally  (see  Sec¬ 
tion  5.3.6). 


5.3.5.  Transmission  of  Client  Messages 

ADP’s  handling  of  client  messages  depends  on  the  nature  of  the  intervening  network. 
physical  broadcast  network  (PBN)  is  one  in  which  there  is  a  single  transmission  medium, 
the  absence  of  packet  loss  due  to  buffer  overrun,  if  any  node  on  a  PBN  receives  a  packet  in 
entirety,  then  the  node  to  which  it  is  addressed  also  does  so.  A  single  Ethernet,  for  example,  is 
a  PBN.  Token  rings  and  bridged  Ethernets,  though  they  may  support  logical  broadcast,  are  not 
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PBN’s. 

ADP  messages  to  a  destination  on  the  same  PBN  as  the  sender  are  transmitted  as  a 
sequence  of  netwoik  packets  (fragments),  each  of  which  ends  with  a  security  trailer  4  contain¬ 
ing  a  sequence  number  encrypted  with  the  channel  key.  When  the  node  to  which  a  fragment  is 
addressed  receives  a  packet,  the  node  decrypts  the  security  trailer  to  obtain  the  packet’s 
sequence  number.  If  the  sequence  number  is  greater  than  that  of  the  previously  received  packet, 
this  is  the  first  packet  on  the  netwoik  with  this  sequence  number.  Since  the  sequence  number  is 
encrypted  with  the  channel  key,  and  the  host  at  the  other  end  of  the  ADP  channel  must  have 
sent  the  packet,  the  packet  is  authentic  and  is  accepted  by  the  destination  node.  Thus,  security 
trailers  provide  message  authentication  on  PBN’s.  The  destination  ADP  module  handles 
reassembly.  Strictly  increasing  sequence  numbers  are  used;  when  the  space  of  sequence 
numbers  is  exhausted,  a  new  channel  key  is  negotiated.  Client  messages  for  which  privacy  was 
requested  are  sent  encrypted  with  the  channel  key;  others  are  sent  in  cleartext 

If  the  destination  host  is  not  on  a  common  PBN,  ADP  uses  a  lower-level  Internet  Protocol 
[81b]  module  to  handle  routing  and  fragmentation.  ADP  delivers  complete  ADP  messages  to  IP 
with  a  security  header  that  includes  a  cryptographic  checksum  [Akl,  Den84a]  of  the  entire  mes¬ 
sage,  encrypted  with  the  channel  key.  The  IP  module  at  the  destination  host  reassembles  the 
ADP  message  and  delivers  it  to  the  ADP  module,  which  recomputes  the  cryptographic  check¬ 
sum  and  verifies  that  it  matches  the  encrypted  version.  As  before,  private  client  messages  are 
encrypted. 

53.6.  Piggybacking 

In  some  cases,  system  performance  can  be  increased  by  piggybacking  multiple  client  mes¬ 
sages  into  a  single  ADP  message  (see  Figure  5.8).  This  is  made  possible  by  allowing  ADP 
clients  to  specify  a  maximum  queueing  delay  for  each  message.  Many  types  of  messages,  such 
as  retransmissions,  asynchronous  write  operations,  and  some  types  of  acknowledgements,  can 
be  be  delayed  a  small  amount  (a  fraction  of  a  second)  with  no  loss  in  system  performance  or 
functionality.  These  “non-urgent”  messages  can  therefore  be  queued  in  the  sender  for  this 
period  and  merged  with  other  client  messages  on  the  same  channel.  In  this  case,  one  ADP  mes¬ 
sage  may  include  several  client  messages.  If  the  client  messages  do  not  require  secrecy,  then  in 
general  less  encryption  is  required,  since  a  single  encrypted  sequence  number  or  checksum  will 
serve  to  authenticate  multiple  client  messages.  Piggybacking  may  also  reduce  CPU  overhead, 
since  the  per-message  costs  of  piggybacking  (queueing  and  timers)  are  likely  to  be  lower  than 
those  of  network  packet  transmission. 

The  maximum  delay  of  a  client  message  is  supplied  by  the  process  sending  it  (usually  a 
transport  protocol).  If  the  delay  is  zero  (i.e.,  for  “urgent”  messages)  ADP  will  send  the  mes¬ 
sage  as  soon  as  possible.  If  the  delay  is  nonzero  the  message  may  be  queued  for  a  period  not 
exceeding  the  delay.  The  queueing  period  will  be  less  if  the  queue  exceeds  the  maximum  ADP 
message  size,  or  if  there  is  a  shorter-delay  message  in  the  queue.  This  maximum  ADP  message 
size  will  depend  on  the  amount  of  buffer  space  available,  and  may  be  limited  by  the  maximum 
size  of  the  messages  that  can  be  accepted  by  the  lower  protocol  layers. 


4  Either  a  security  trailer  or  a  security  header  can  be  used. 
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Host  A  Host  B 


Figure  5.8:  Several  agent-to-agent  channels  multiplexed  on  to  an  ADP  channel 


5.4.  Trust  Requirements  of  ADP 

The  establishment  of  an  ADP  channel  between  two  hosts  HA  and  HB  results  in  the  logical 
establishment  of  two  channels  (HA ,  HB )  and  (HB ,  H A ),  if  some  trust  requirements  are  satisfied. 
Let  us  investigate  these  trust  requirements. 

In  the  ADP  channel  establishment  protocol,  let  HA  send  the  ADP  channel  request.  In 
order  to  send  the  request,  HA  must  obtain  HB  ’s  public  key  using  name  resolution  in  the  name 
space.  But  notice  that  obtaining  HB ’s  public  key  results  in  the  establishment  of  a  PKE-based 
channeled,  HB)  (see  Section  3.4).  Using  results  of  Section  3.7,  security  of  this  channel 
requires  the  satisfaction  of  a  trust  predicate,  which  we  denote  by  pred ^  .s 

When  Hb  receives  the  ADP  channel  request  from  HA ,  HB  must  obtain  HA ’s  public  key  to 
decrypt  the  request  Obtaining  HA  ’s  public  key  results  in  the  establishment  of  a  PKE-based 
channel(//fl ,  HA  ).  Let  the  trust  predicate  that  must  be  satisfied  for  the  security  of  this  channel 
be  denoted  by  predBA . 

If  both  pred^  and  predBA  are  true,  HA  and  HB  correctly  possess  each  others’ public  keys, 
and  the  single  key  S  sent  by  HA  in  the  ADP  channel  request  is  known  only  to  agents/hosts  that 
might  possess  either  HA ’s  private  key  or  H B ’s  private  key,  i.e.,  the  agents/hosts  in  key- 


5  The  trust  predicate  is  determined  by  the  sequence  of  channel  compositions  (in  the  name  space)  used  in  estab¬ 
lishing  the  channel. 
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closure(//A )  6  or  in  key-closure(//B ).  Since  the  agents  in  key-closure^ )  and  key-closure(//B ) 
possess  the  private  keys  of  HA  and  HB  respectively,  we  obtain  that  the  following  must  be  true 
(recall  the  meaning  of  Tv  from  Section  5.2): 

Tv  (Ha  ,  key  -closure  (HA  ))  A  Tv  (HB ,  key  -closure  (HB  ))  (5 . 3) 

If  H A  and  Hb  were  to  use  S  as  their  channel  key,  HA  and  HB  must  have  key  user- 
possessor  trust  in  all  the  agents  that  might  possess  S ,  so  as  to  ensure  that  these  agents  will  not 
use  S  to  compromise  the  security  of  the  ADP  channel  between  HA  and  HB .  Since  the  agents 
that  might  possess  S  are  those  in  key-closure(//A )  or  key-closure(//B ),  we  obtain  that  the  fol¬ 
lowing  must  be  true: 

Tkup  (Ha  .  key  -closure  (HA ),  HB )  A  Tkup  (HA ,  key  -closure  (HB ),  HB )  A 

Tkup  (hb  >  key  -closure  (HA),HA)  A  TKUP  (HB ,  key  -closure  (HB ),  HA)  (5.4) 

But  notice  that,  using  the  definition  of  the  universal  trust  (see  Section  5.2), 

Tkup  (Ha  .  key  -closure  (HB ),  HB ) 
follows  from: 

Tv(Hb  ,  key -closure  (HB )), 
and 

Tkup  (hb  .  key  -closure  (HA ),  HA  ) 
follows  from: 

Tu(Ha  ,  key  -closure  (HA )) 

Hence,  in  eq  (5.4), 

Tkup  (ha  ■  key  -closure  (HB ),  HB )  ATKUP  (HB ,  key  -closure  (HA),HA) 
follows  from  eq  (5.3). 

Summarizing  these  results,  we  obtain  the  following  theorem: 

Theorem  5.2:  Establishment  of  an  ADP  channel  between  two  hosts  HA  and  HB  results  in  the 
logical  establishment  of  channels  (HA ,  HB )  and  (H B ,  HA )  if  and  only  if: 

(1)  the  trust  requirements  for  establishing  channels  (HA ,  HB )  and  (HB ,  HA )  using  channel 

compositions  in  a  PKE-based  name  space  are  satisfied, 

(2)  Ha  has  universal  trust  in  all  agents  in  key-closure(//A )  and  HB  has  universal  trust  in 

all  agents  in  key-closure (7/fl ),  and 

(3)  T/ojp  (Ha  ,  key  -closure  (HA ),  HB )  and  TKUP  (HB ,  key  -closure  (HB  ),HA)  are  satisfied. 

□ 


6  The  following  short-hand  notations  are  used  throughout:  A  host’s  name  mentioned  in  a  place  where  an  agent’s 
name  would  be  expected  refers  to  the  host’s  owner,  an  agent’s  name  mentioned  in  a  place  where  a  host’s  name  would 
be  expected  refers  to  all  the  hosts  owned  by  the  agent,  and  a  set  mentioned  in  a  place  where  a  member  of  the  set 
would  be  expected  refers  to  all  the  members  in  the  set. 
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Now  consider  agent  certification.  When  HA  receives  a  certificate  of  an  agent  Ak  from  HB , 
for  all  agents  Ax  that  have  processes  on  HA ,  channel(Ax ,  Ak )  becomes  established  if  some  addi¬ 
tional  trust  requirements  are  satisfied.  Let  us  investigate  these  trust  requirements. 

When  Ha  receives  Ak ’s  certificate,  HA  must  obtain  Ak ’s  public  key.  Obtaining  Ak  ’s  pub¬ 
lic  key  results  in  the  establishment  of  a  PKE-based  channel(//A ,  Ak).  Let  the  trust  predicate  that 
must  be  satisfied  for  the  security  of  this  channel  be  denoted  by  pred^. 

ttpredte  is  satisfied,  HA  correctly  possesses  Ak's  public  key,  and  hence  some  agent  that 
has  Ak's  private  key  sent  Ak ’s  certificate  to  HA.  If  TvlAk,  key -closure  (Ak))  is  satisfied,  Ak 
must  have  sent  the  certificate.  Since  the  certificate  contains  the  name  of  HB ,  Ak  on  HB  must 
have  sent  the  certificate.  Since  the  certificate  contains  the  random  number  T,  Ak  on  HB  must 
have  sent  the  certificate  during  the  kernel  session  of  the  current  ADP  channel.  Thus,  HB  has  a 
process  owned  by  Ak  during  the  current  kernel  session. 

Now  consider  a  message  msg^  sent  from  HB  to  HA  with  the  message  sender  field  equal  to 
Ak,  and  the  message  recipient  field  equal  to  Ax.  Since  HB  has  a  process  owned  by  Ak  during 
the  current  kernel  session,  HB  possesses  Ak  s  private  key,  HB  belongs  to  key-closure(A*),  and 
hence  Tv(Ak,  HB )  is  satisfied.  Thus,  HB  does  not  masquerade  as  Ak,  and  hence  msg^  must 
have  been  sent  by  Ak.  If  the  trust  requirements  of  Theorem  5.2  are  satisfied,  the  authenticity  of 
ms  gin  remains  intact  between  HB  and  HA .  If  Ax  has  a  process  on  HA  and  HA  is  security- 
correct,  the  authenticity  of  msg^  remains  intact  from  HA  to  Ax. 

A  similar  derivation  can  be  carried  out  for  the  privacy  of  a  secret  message  sent  from  Ax  to 

A*- 

The  following  theorem  summarizes  the  above  derivations  for  the  trust  requirements  of 
channeKA*,  A*). 

Theorem  5  J:  Suppose  Ak  is  an  agent  having  processes  on  a  host  HB .  For  all  agents  Ax  that 
have  processes  on  a  host  HA ,  channel^,,  Ak)  is  established  when  HA  receives  Ak  ’s  certificate 
on  its  ADP  channel  to  HB  if  and  only  if  HA  is  security-correct  and  the  following  trust  require¬ 
ments  are  satisfied: 

(1)  the  trust  requirements  specified  by  Theorem  5.2  for  establishing  channels  (HA ,  HB) 

and  (Hb  ,  Ha  ), 

(2)  the  trust  requirements  for  establishing  channel(//A ,  Ak)  using  compositions  in  a  PKE- 

based  name  space,  and 

(3)  Tu(Ak,  key  -closure  (Ak )). 

□ 


In  the  trust  requirements  given  by  Theorem  5.3  for  channel(Ax,  Ak),  the  trust  predicates 
predfo ,  pred^  and  predBA  arise  from  channel  compositions  in  the  name  space.  Since  the  name 
space  is  designed  so  as  to  satisfy  the  trust  relationships  in  any  channel  composition  carried  out 
through  it,  pred Ak,  pred ^  and  predBA  are  automatically  satisfied.  But  the  universal  and  key 
user-possessor  trust  requirements  which  involve  the  various  key-closures  can  potentially  greatly 
increase  the  trust  requirements,  and  hence  it  is  desirable  to  eliminate  these  trust  requirements. 

Figure  5.9  illustrates  an  effect  of  a  universal  trust  requirement  involving  a  key-closure. 
Alice  has  a  process  on  host  HA  owned  by  Riccardo,  and  Bob  has  a  process  on  host  HB  owned 
by  Stuart.  The  channel  request  CR^  of  the  ADP  channel  between  HA  and  HB  was  sent  by  HA , 
encrypted  with  Riccardo’s  private  key  and  Stuart’s  public  key.  Stuart  himself  has  a  process  on 
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a  host  Hc  owned  by  Peter.  Since  a  host  has  access  to  its  users’  storage,  Peter  has  access  to 
Stuart’s  private  key  on  Hc.  Thus  Peter  can  obtain  the  single  key  SK^  of  the  ADP  channel 
between  HA  and  HB  by  decrypting  CR^  with  Stuart’s  private  key  and  Riccardo’s  public  key. 
Since  messages  from  Bob  to  Alice  are  encrypted  using  SK^ ,  Peter  can  compromise  the  secu¬ 
rity  of  communication  between  Bob  and  Alice.  In  other  words,  since  Bob  has  placed  universal 
trust  in  Stuart,  and  Stuart  has  placed  universal  trust  in  Peter,  Bob  has  to  place  universal  trust  in 
Peter.  In  fact.  Bob  must  place  universal  trust  in  owners  O  j  of  all  hosts  on  which  Peter  might 
have  user  processes,  in  owners  02  of  all  hosts  on  which  owners  O  j  might  have  user  processes, 
and  so  on.  Thus,  the  requirement  of  universal  trust  in  key-closures  can  be  a  serious  disadvan¬ 
tage. 

Let  us  see  if  we  can  eliminate  the  universal  and  key  user-possessor  trust  requirements 
involving  the  various  key-closures.  The  primary  cause  for  these  trust  requirements  in  the  above 
example  is  the  accessibility  of  Stuart’s  private  key  by  Peter.  Suppose  Stuart’s  host  uses  a 
(public-key,  private-key)  pair  that  is  different  from  the  (public-key,  private-key)  pair  used  by 
Stuart’s  user-level  process  on  Peter’s  host.  Hc  no  longer  has  access  to  the  private  key  used  by 
Ha  ,  Peter  can  no  longer  decrypt  the  channel  request  from  HA  to  HB ,  and  hence  Peter  can  no 
longer  obtain  the  key  of  the  ADP  channel  between  HA  and  HB .  Consequently,  the  trust  require¬ 
ments  involving  key-closures  vanish. 

Let  AD p modified  denote  ADP  with  the  modification  that  each  agent  has  two  (public-key, 
private-key)  pairs,  one  of  which  is  used  by  the  agent’s  hosts  and  the  other  is  used  by  the  agent’s 
user-level  processes.  Key-closure^^  )  and  key-closure(//B )  become  empty.  Key-closure^*.) 
becomes  the  set  of  hosts,  hosts  (A k),  on  which  Ak  has  processes.  Using  these  substitutions  in 
Theorems  5.2  and  5.3,  we  obtain  the  next  two  theorems  fo i  ADP modified : 

Theorem  5.4:  Establishment  of  an  ADP channel  between  two  hosts  HA  and  HB  results  in 
the  establishment  of  channels  (HA ,  HB )  and  (HB ,  HA )  if  and  only  if  the  trust  requirements  for 
establishing  channels  (HA ,  HB )  and  (HB ,  HA  )  using  a  PKE-based  name  space  are  satisfied. 


Host  A 


Host  B 


Host  C 


Figure  5.9:  Effect  of  key-closure  trust  requirements 
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□ 


Theorem  5.5:  Suppose  Ak  is  an  agent  having  processes  on  a  host  HB .  For  all  agents  Ax  that 
have  processes  on  a  host  HA ,  channel  (A*,  A*)  is  established  when  HA  receives  Ak's  certificate 
on  its  ADPmodifltd  channel  to  Ha ,  if  and  only  if  HA  is  security-correct  and  the  following  trust 
requirements  are  satisfied: 

(1)  the  trust  requirements  specified  by  Theorem  5.4  for  establishing  channels  (HA,  HB) 
and  (Hb  ,  Ha  ), 

(2)  the  tmst  requirements  for  establishing  channel(//A ,  Ak )  using  channel  composition  in  a 
PKE-based  name  space,  and 

0)Tv(Ak,  hosts (A*)). 

□ 


Notice  that  the  first  two  tmst  requirements  of  ADP^^  7  (as  given  by  Theorem  5.5)  are 
automatically  satisfied  in  the  name  space.  The  third  trust  requirement  involves  only  those  hosts 
on  which  Ak  has/had  processes,  and,  given  that  a  host  has  access  to  all  the  data  of  an  agent  hav¬ 
ing  processes  on  the  host,  this  trust  requirement  cannot  be  eliminated  by  any  channel  establish¬ 
ment  protocol. 

If  agent-to-agent  channels  are  established  directly,  establishing  channeled,-,  Ak)  requires 
that  a  tmst  predicate  pred ik,  which  is  determined  by  the  sequence  of  channel  compositions 
between  A;  and  Ak  in  the  name  space,  be  satisfied.  In  comparison,  the  tmst  requirements  of 
ADP  (as  given  by  Theorem  5.5)  are  more  numerous.  In  Section  5.7,  we  justify  the  increased 
tmst  requirements  of  ADP  by  its  significant  performance  advantages  over  protocols  that  estab¬ 
lish  agent-to-agent  channels  directly. 

5.5.  Trust  Requirements  of  ADP  When  Name  Space  is  SKE-based 

We  now  show  that  if  the  name  space  is  SKE-based  as  in  [BLN86],  ADP  requires  global 
tmst.  Consider  a  system  consisting  of  hosts  HA  and  Hg ,  agents  A; ,  AkX  and  Ak2,  and  an  SKE- 
based  name  space  in  which  HA,  HB,  A; ,  AkX  and  Ak2  are  leaf  nodes  (see  Figure  5.10).  Let  A; 
have  processes  on  HA ,  and  Atl  and  Ak2  have  processes  on  HB .  Let  hosts  HA  and  HB  establish 
an  ADP  channel  with  a  channel  key  S ^ .  As  pointed  out  earlier,  establishing  the  ADP  channel 
involves  the  establishment  of  SKE-based  channeled ,  HB )  and  SKE-based  channel(//s ,  HA ) 
using  compositions  in  the  name  space.  Let  the  set  of  name  space  nodes  between  HA  and  HB  be 
denoted  by  NSA_B.  The  nodes  in  NSA_B  are  involved  in  establishing  channel  HA-HB.  If  the 
name  space  is  SKE-based,  as  shown  in  Chapter  3,  the  nodes  in  NSA_B  might  possess  channel 
key  SAB  of  channel  HA-HB. 

When  Ha  receives  a  certificate  of  Akh  SKE-based  channel^ ,  Akl)  must  be  established 
using  compositions  in  the  name  space.  The  key  of  channel^,  Ak])  becomes  known  to  all 
name  space  nodes  in  the  path  between  HA  and  AkX.  But  ADP  uses  the  same  single  key  for 
channel^ ,  Ak  Thus  is  now  known  to  agents  in  any  of  NSA_B  or  NSA_kX. 


7  In  the  sequel,  ADP  will  be  used  to  mean  ADP^/uj  ■ 
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Figure  5.10:  Global  trust  requirements  when  ADP  is  used  with  SKE-based  name  space 


Next,  when  HA  receives  a  certificate  of  Ak 2,  channel (//^ ,  Ak2)  is  established  using  compo¬ 
sitions  in  the  name  space.  Using  similar  arguments  as  above,  we  obtain  that  is  now  known 
to  agents  in  any  of  NSA^ ,  NSA_kl  or  NSA_k2- 

When  A i  on  HA  sends  a  secret  message  to  either  Akl  or  Akl,  is  used  for  encryption. 
Since  SAB  is  known  to  agents  in  any  of  NSA_B,  NSA_kl  or  NSA_k 2,  the  following  key  user- 
possessor  trusts  are  required: 

T kup  O^i •  (NSA-b  >  NSA~k\,  NSA_k2},  ^*1) =  true  (5.4) 

Trup  (Ai .  (NSA_g ,  NSA_k\,  NSA_k2},  Ak2)  =  true  (5.5) 

Continuing  these  arguments  it  can  be  shown  that,  if  an  agent  having  processes  on  HB  can  reside 
at  any  position  in  the  name  space,  each  agent  on  HA  will  be  required  to  have  key  user-possessor 
trust  in  all  the  name  space  nodes  (the  middle  argument  to  TKUP  above  becomes  the  universal 
set),  and  hence  will  be  required  to  have  global  key  user-possessor  trust  This  is  summarized  by 
the  following  theorem: 

Theorem  5.6:  ADP,  if  used  in  a  system  whose  name  space  is  SKE-based,  requires  global  key 
user-possessor  trust. 

□ 


As  a  result  of  Theorem  5.6,  ADP  plus  an  SKE-based  name  space  is  an  unacceptable  combina¬ 
tion  in  distributed  systems  without  global  trust. 
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5.6.  Trust  Domains 

The  set  of  hosts  in  many  distributed  computing  environments  may  contain  subsets  with 
the  following  property:  Within  a  subset,  the  hosts  and  the  communication  channels  between 
them  are  physically  secure,  and  agents  with  access  to  the  hosts  all  place  universal  trust  in  one 
another  (Figure  5.11).  By  Theorem  5.1,  universal  trust  is  transitive,  and  hence  the  same  host 
cannot  belong  to  two  domains.8  Across  subsets,  the  communication  links  may  not  be  physically 
secure,  and  agents  in  one  subset  may  not  place  universal  trust  in  hosts  in  the  other  subset.  We 
call  such  subsets  trust  domains.  Suppose  also  that  all  communication  across  a  subset  boundary 
is  routed  through  one  or  more  hosts  called  domain  gateways.  Within  a  trust  domain,  no  channel 
establishment  mechanisms  are  necessary.  Between  two  domains,  the  two  domain  gateways  9 
can  establish  a  channel,  and  multiplex  messages  from,  and  demultiplex  messages  to,  agents  on 
various  hosts  within  each  domain.  A  special  ADP  module  on  the  domain  gateway  performs 
these  functions.  This  has  the  following  advantages: 

•  Efficiency:  Communication  within  the  domain  has  no  encryption  overhead.  Only  the 

domain  gateway  does  encryption,  so  only  it  need  to  have  encryption  hardware. 

•  Flexibility:  The  channel  establishment  mechanism  between  domain  gateways  can  be 

changed  at  any  time.  Intra-domain  communication  will  not  see  any  changes. 

5.7.  ADP  versus  Direct  Establishment  of  Agent-to-Agent  Channels 

rhannp.l  establishment  mechanisms  must  be  introduced  into  some  levels  of  the  network 
protocol  architecture  [Tan81,Tan88].  ADP  being  a  host-to-host  channel  establishment  proto¬ 
col,  these  mechanisms  can  be  introduced  at  the  subtransport  level.  Protocols  that  establish 
agent-to-agent  channels  directly  across  the  networic  must  be  introduced  at  transport  or  higher 
levels,  because  the  lowest  level  at  which  processes  (belonging  to  agents)  rather  than  hosts  can 
be  communicating  entities,  is  the  transport  level  [SRC84,  VoK83].  If  agent-to-agent  channels 
are  established  directly,  establishing  channel(A,,  Ak)  requires  that  a  trust  predicate  predik, 
which  is  determined  by  the  sequence  of  channel  compositions  between  A,  and  Ak  in  the  name 
space,  be  satisfied.  In  comparison,  the  trust  requirements  of  ADP  (as  given  by  Theorem  5.5)  are 
more  numerous. 

We  will  now  justify  the  increased  trust  requirements  of  ADP  (as  compared  to  those  of  pro¬ 
tocols  that  establish  agent-to-agent  channels  directly)  by  the  performance  advantages  of  sub¬ 
transport  level  channel  establishment  over  channel  establishment  at  transport  or  higher  level 
protocols.  The  advantages  can  be  grouped  as  follows: 

1)  general  advantages  of  subtransport  level  channel  establishment, 

2)  specific  advantages  relative  to  transport  level  channel  establishment,  and 

3)  specific  advantages  relative  to  putting  channel  establishment  above  the  transport  level. 


8  Suppose  a  host  HA  belongs  to  two  domains.  The  hosts  of  the  first  domain  place  universal  trust  in  HA ,  but  HA 
places  universal  trust  in  hosts  of  the  second  domain.  By  transitivity  of  universal  trust,  hosts  of  the  first  domain  place 
universal  trust  in  those  of  the  second.  Similarly,  we  can  show  that  hosts  of  the  second  domain  place  universal  trust  in 
those  of  the  first.  Consequently,  the  two  domains  can  in  this  case  be  coalesced  into  a  single  domain. 

9  Recall  that  a  host  can  only  belong  to  a  single  domain.  Thus,  two  domains  must  have  two  different  domain 
gateways. 
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5.7.1.  General  Advantages  of  Subtransport  Level  Channel  Establishment 

Putting  channel  establishment  at  the  subtransport  level  has  several  advantages  relative  to  put¬ 
ting  it  at  higher  protocol  levels: 

•  It  simplifies  transport  level  protocols.  When  a  host  crashes,  its  channels  are  destroyed. 
Thus,  remote  host  crashes  can  be  detected  at  the  host-to-host  level  at  the  time  of  channel 
establishment,  and  transport  level  protocols  do  not  have  to  employ  elaborate  timer 
mechanisms  to  detect  them  [Che86, 81b].  If  transport  protocols  above  ADP  employ  a 
sequence  number  that  is  monotonically  increasing  within  a  channel,  message  duplicates 
and  replays  may  be  eliminated.  Since  a  host  crash  initiates  a  new  channel,  duplicates 
across  crashes  are  eliminated.  Thus,  3-way  handshakes  are  not  required  in  transport  proto¬ 
cols  for  the  purpose  of  duplicate  elimination.  This  also  means  that  3-way  handshakes  can 
often  be  eliminated  from  transport-level  protocols.  A  short  transaction  then  requires  just 
two  messages  in  the  best  case,  as  opposed  to  at  least  six  in  TCP  [Dif85,  Ken77]  and  four 
in  secure  RPC  [BiN84,  Bir85]. 

•  More  than  one  protocol  may  exist  at  higher  layers,  and  different  protocols  may  require  dif¬ 
ferent  channel  establishment  mechanisms.  Thus,  unlike  in  the  subtransport  layer,  channel 
establishment  mechanisms  may  have  to  be  duplicated  in  higher  layers. 

•  There  are  two  public-key  operations  per  agent  per  remote  host  per  kernel  session.  Often 
these  operations  can  be  done  at  boot  time  or  during  idle  periods.  There  are  no  per-process 
or  per-operation  public-key  operations,  resulting  in  a  substantial  performance  gain. 

•  Since  messages  from  all  client  processes  and  higher  level  protocols  pass  through  the  sub- 
transport  layer,  a  number  of  these  messages  destined  to  a  common  remote  host  can  all  be 
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combined  into  a  single  datagram  and  sent  as  a  single  ADP  message.  This  can  reduce  the 
number  of  single  key  operations. 

•  In  the  presence  case  of  trust  domains,  handling  channel  establishment  at  the  subtransport 
level  drastically  reduces  the  number  of  transport  level  connections  necessary  for  commun¬ 
ication  between  two  processes  in  two  different  domains  (see  Figure  5.12). 

5.7 2.  Disadvantages  of  Transport  Level  Channel  Establishment 

Transport  level  protocols  are  used  to  implement  a  variety  of  communication  paradigms. 
Request/reply  (RPC)  [BiN84]  and  full  duplex  byte  streams  [81a]  are  two  of  the  popular  com¬ 
munication  paradigms.  We  examine  secure  RPC  [Bir85]  as  an  instance  of  channel  establish¬ 
ment  in  an  RPC  protocol,  and  secure  TCP  [Dif85,Ken77]  as  an  instance  of  channel  establish¬ 
ment  in  a  full  duplex  byte  stream  protocol.  Both  secure  RPC  and  secure  TCP  are  transport  level 
protocols. 
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Figure  5.12:  Comparison  of  ADP  (Figure  (a))  and  transport  level  channel  establishment 
(Figure  (b))  with  regard  to  trust  domains.  In  ADP,  the  number  of  transport  level  connec¬ 
tions  required  for  inter-domain  channels  A,-  j-A*!  and  A^-A^  is  much  smaller. 
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5.7 2.1.  Secure  RPC 

When  a  client  issues  its  first  RPC  request  to  a  remote  server,  the  RPC  mechanism  estab¬ 
lishes  a  channel  between  the  two  processes.  This  consists  of  agreeing  on  a  channel  key  to  be 
used  for  encrypting  RPC  requests  and  replies.  There  are  several  disadvantages  of  such  a 
scheme: 

•  For  each  channel,  the  RPC  system  must  maintain  long-term  state  information  consisting 
of  a  channel  key  and  sequence  numbers  of  requests  within  the  channel.  This  converts  sim¬ 
ple  stateless  RPC  into  one  with  long-term  state  information. 

•  A  three-way  handshake  is  necessary  to  agree  upon  the  channel  key.  There  are  0(n2) 
encryption  keys  to  be  agreed  upon.  The  cost  of  this  three-way  handshake  is  small  if  it  is 
amortized  over  many  RPC’s.  If,  however,  there  are  lots  of  short-lived  processes  making 
just  one  or  two  remote  procedure  calls,  the  performance  penalty  due  to  a  three-way 
handshake  is  substantial.  This  can  reduce  the  efficiency  of  RPC  for  short  transactions. 

•  There  are  four  public  key  operations  for  each  channel.  If  the  channel  is  established  for 
just  a  single  RPC,  the  relative  cost  is  substantial. 

•  There  is  a  single  key  encryption  and  a  decryption  for  each  RPC  request,  reply,  and  ack¬ 
nowledgement.  Since  messages  from  different  processes  use  different  channel  keys,  it  is 
not  possible  to  reduce  the  encryption  cost  by  piggybacking  messages  from  different 
processes  that  are  all  destined  to  the  same  host 

5.12.2.  Secure  TCP 

TCP  is  a  DARPA  Internet  transport  protocol  [81a]  providing  full  duplex  byte  stream  con¬ 
nections  between  processes  on  different  hosts.  Secure  TCP  [Dif85]  requires  an  initial  agree¬ 
ment  upon  a  single  key  to  be  used  during  the  lifetime  of  the  TCP  connection  after  the  end  points 
are  authenticated  to  each  other.  In  addition  to  those  mentioned  in  Section  5.7.1,  there  are  two 
more  disadvantages  associated  with  this  scheme: 

•  Four  public  key  operations  are  performed  for  each  TCP  connection. 

•  Encryption  cost  reduction  by  piggybacking  is  impossible  since  keys  are  not  per  host-pair. 

5.7 3.  Disadvantages  of  Having  Channel  Establishment  above  the  Transport  Level 

There  are  several  disadvantages  in  placing  channel  establishment  mechanisms  above  the 
transport  level: 

•  Transport  level  protocols  like  TCP  do  connection  establishment  using  three-way 
handshakes.  If  channel  establishment  mechanisms  are  above  the  transport  layer,  they 
require  their  own  handshake  to  agree  upon  keys  after  the  transport  level  has  established  a 
connection.  This  duplication  of  handshaking  entails  higher  message  overhead. 

•  Transport  level  protocols  do  error  detection  using  (insecure)  checksums.  Channel  estab¬ 
lishment  mechanisms  above  the  transport  layer  must  do  their  own  cryptographic  check¬ 
summing.  This  is  an  unnecessary  duplication  of  effort  as  error  detection  at  higher  layers 
can  be  avoided  if  checksumming  is  done  at  the  subtransport  or  transport  level. 

•  Transport  level  protocols  employ  sequencing  to  eliminate  duplicates  and  out-of-sequence 
messages.  Since  an  intruder  could  change  the  transport  level  headers  and  hence  the  tran¬ 
sport  level  sequence  numbers,  channel  establishment  mechanisms  above  the  transport 
layer  must  also  do  sequencing  to  detect  such  an  intrusion,  again  resulting  in  an  unneces¬ 
sary  duplication  of  effort 
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•  If  an  intruder  sends  a  false  message  with  the  correct  transport  level  sequence  number,  the 
transport  level  protocol  will  accept  it  as  the  next  message  and  reject  the  true  message 
which  may  arrive  later.  The  channel  establishment  mechanisms  above  will  reject  the  false 
message  correctly,  but  will  never  get  the  true  message.  False  acknowledgements  at  lower 
levels  can  disrupt  the  sequencing.  The  only  way  to  recover  from  such  situation  is  to  re¬ 
establish  the  connection  at  both  the  transport  and  the  secure  communication  levels.  This 
has  the  potential  for  much  unnecessary  tearing  down  of  connections  and  the  associated 
performance  overhead. 

•  Unauthenticated  messages  are  detected  only  at  the  level  where  channel  establishment 
mechanisms  are.  These  messages  are  unnecessarily  processed  at  all  lower  levels  of  the 
protocol  hierarchy.  Thus,  if  the  channel  establishment  mechanisms  are  at  a  high  level,  the 
amount  of  this  unnecessary  work  can  be  large  (but  this  should  be  a  rare  occurrence). 

•  Public  key  operations  are  more  numerous  than  those  required  by  ADP,  and  single  key 
operations  cannot  be  reduced  by  piggybacking. 

5.8.  Experimental  Verification 

No  design  is  complete  without  performance  evaluation  [Fer78].  It  is  quite  clear  from  what 
has  been  said  in  the  previous  sections  that  the  performance  advantages  of  ADP  can  be  expected 
to  be  primarily  due  to: 

(a)  the  reduced  total  overhead  for  channel  establishment:  in  ADP,  expensive  public -key 
encryption  and  three-way  message  handshake  overhead  are  needed  only  for  setting  up  a 
host-to-host  channel  and  once  per  agent  per  host  (for  sending  certificates),  rather  than  for 
every  agent-to-agent  connection  or  session;  ADP  channels  will  be  many  fewer  in  number 
and  much  longer  lived;  and 

(b)  the  much  higher  likelihood  that  the  benefits  of  piggybacking  will  be  felt,  as  the  traffic 
intensity  on  a  host-to-host  channel  is  never  lower  than  that  on  an  agent-to-agent  channel 
involving  the  same  two  hosts,  and  is  often  much  higher,  one  can  easily  speculate  that  the 
effectiveness  of  piggybacking  grows  with  the  traffic  intensity,  as  more  client  messages  can 
be  shipped  within  one  ADP  message;  also,  with  channel  establishment  mechanisms  at  a 
higher  level,  each  channel  will  have  its  own  channel  key,  and  client  messages  traveling  on 
two  different  channels  between  the  same  two  hosts  cannot  be  bundled  together  in  the  same 
ADP  message,  as  their  encrypted  portions  will  require  two  different  keys. 

However,  given  that  ADP  is  better  than  direct  agent-to-agent  channel  establishment,  an 
important  question  is:  How  much  better  is  it  ? 

To  give  this  question  an  empirical  answer,  we  measured  the  performance  of  a  prototype  of 
ADP  implemented  as  part  of  the  DASH  Project  at  the  University  of  California  at  Berkeley 
[AFV87d].  The  implementation  is  written  in  C++  and  runs  on  Sun  3/50  workstations  connected 
by  10  Mb/s  Ethernet. 

Since  we  had  not  yet  built  any  transport  protocols  on  top  of  ADP,  we  could  not  implement 
agent-to-agent  channel  establishment  mechanisms  in  them.  We  therefore  transformed  ADP  for 
some  of  the  experiments  into  an  agent-to-agent  channel  establishment  protocol,  i.e.,  we  had 
ADP  establish  a  channel  (using  public  key  encryption)  every  time  a  process  started  communi¬ 
cating  with  another  process  on  another  host 

Because  of  the  influences  on  ADP  performance  of  client  message  sizes  and  arrival  times, 
we  could  not  use  a  synthetic  input  such  as  those  of  some  previous  studies,  where  all  messages 
have  the  same  size  and  arrive  at  regular  intervals.  Thus,  it  was  decided  to  run  trace-driven 
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measurement  experiments.  Figure  5.13  shows  the  experimental  setup. 
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Figure  5.13:  ADP  experimental  setup 
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Since  a  complete  DASH  system  incorporating  ADP  does  not  exist  yet,  a  real  ADP  input 
trace  cannot  be  measured.  The  assumption  was  made  that  the  message  traffic  on  a  local-area 
network  interconnecting  a  variety  of  machines,  including  diskless  workstations  and  file  server, 
would  represent  a  reasonable  approximation  to  the  type  of  traffic  that  an  ADP  module  will 
experience  in  a  DASH  system. 

A  trace  of  all  packets  transmitted  on  a  10  Mb/s  Ethernet  among  96  machines  of  various 
types,  49  of  which  were  diskless  Sun  workstations  and  6  were  Sun  file  servers,  was  converted 
into  the  corresponding  client  message  trace,  and  also  decomposed  into  traces  containing  only 
the  messages  generated  by  a  given  transport  level  protocol.  In  particular,  in  the  experiments 
whose  results  are  summarized  below,  we  used  the  following  three  traces: 

•  ALL:  a  trace  including  all  client  message  types; 

•  TCP:  a  trace  containing  only  TCP  messages  (TCP  was  taken  as  an  example  of  a  transport 
level  agent-to-agent  full-duplex  byte  stream  protocol). 

•  NFS:  a  trace  containing  only  SUN  NFS  messages  (NFS  was  taken  as  an  example  of  a  tran¬ 
sport  level  agent-to-agent  request/response  protocol). 

The  primary  performance  indices  we  measured  were: 

Latency  L :  the  average  delay  incurred  by  a  message  between  the  instant  it  is  given  to  the 
sending  ADP  module  for  transmission  and  the  instant  it  is  delivered  by  the  receiving  ADP 
module  to  the  destination  process  on  the  destination  host.  To  compute  L,  we  averaged  the 
delays  of  the  messages  in  a  given  finite  sequence. 

Throughput  T\  the  maximum  rate  at  which  information  can  be  transmitted  by  ADP  on  the 
sending  host  and  received  by  ADP  on  the  destination  host. 

In  a  throughput  experiment,  the  client  messages  in  the  trace  arrive  at  such  a  high  rate  that  the 
input  queue  of  ADP  is  never  empty.  In  the  agent-to-agent  channel  establishment  case,  when  the 
arrival  rate  of  a  message  trace  is  increased  with  respect  to  the  measured  one,  a  decision  must  be 
made  about  whether  and  how  the  process  creation  rate  should  be  modified.  There  are  two 
extreme  cases:  (1)  The  process  creation  rate  is  kept  constant  while  the  rate  of  message  produc¬ 
tion  by  the  existing  processes  is  increased.  This  is  one  end  of  the  spectrum  and  represents  the 
best  possible  case  for  an  agent-to-agent  channel  establishment  protocol.  The  throughput  for  this 
scenario  will  be  denoted  by  Tl.  (2)  The  mean  message  production  rate  of  processes  is  fixed. 
Thus,  when  the  message  transmission  rate  is  increased  to  its  maximum  value,  the  process  crea¬ 
tion  rate  must  be  increased  linearly.  This  represents  the  worst  case  for  agent-to-agent  channel 
establishment.  The  throughput  for  this  scenario  will  be  denoted  by  T2.  These  two  cases  are  of 
interest  only  for  agent-to-agent  channel  establishment. 

Figure  5.14  shows  the  latency  and  throughput  values  for  the  following  cases:  (1)  ADP  (2) 
direct  establishment  of  agent-to-agent  channels  in  the  TCP  trace,  and  (3)  direct  establishment  of 
agent-to-agent  channels  in  the  NFS  trace.  From  the  figure,  we  conclude  that  the  performance 
gains  of  ADP  over  both  instances  of  agent-to-agent  channel  establishment  are  substantial.  The 
inferior  performance  of  agent-to-agent  channel  establishment  approaches  in  the  table  is  to  be 
attributed  entirely  to  the  much  higher  rate  of  PKE-based  channel  establishment  operations  that 
these  approaches  require  with  respect  to  that  caused  by  ADP,  since  even  the  ADP  experiments 
were  performed  without  piggybacking.  PKE-based  channel  establishment  is  quite  time- 
consuming:  we  have  measured  in  our  system  an  average  establishment  time  of  1.75  seconds. 

In  the  agent-to-agent  channel  establishment  experiments,  the  TCP  trace  had  76  new  con¬ 
nection  establishments,  and  the  NFS  trace  had  4 1  new  RPC  transactions  from  new  processes, 
both  in  a  sequence  of  10,000  messages.  Corrections  introduced  to  remove  edge  effects  reduced 
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30 

42 
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Figure  5. 14:  Table  and  histogram  showing  latency  and  throughput  values  for  TCP  and 
NFS  traces  with  subtransport  and  transport  approaches  to  channel  establishment.  T1  is  the 
throughput  with  constant  process  creation  rate.  T2  is  the  throughput  with  a  process  crea¬ 
tion  rate  linearly  increasing  with  the  arrival  rate. 
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the  values  of  the  numbers  of  new  connections  slightly  in  the  latency  and  T2  experiments.  In  the 
T1  experiments,  there  were  7  new  connections  in  the  TCP  trace  and  4  new  RPC  transactions  in 
the  NFS  trace. 

Figure  5.15  confirms  the  conjectures  made  at  the  beginning  of  this  section  about  the  effect 
of  piggybacking  in  ADP.  The  ALL  input  trace  was  used.  Among  the  many  experiments  we 
performed,  an  interesting  one  was  that  intended  to  determine  the  variation  of  the  latency  as  the 
arrival  rate  of  messages  in  the  input  trace  was  progressively  increased.  Figure  5.15  shows  that 
the  effect  of  piggybacking  is  insignificant  at  low  arrival  rates.  Without  piggybacking,  an 
increase  in  the  message  arrival  rate  causes  a  rapid  increase  in  the  latency,  whereas  with  piggy¬ 
backing  the  latency  starts  increasing  for  much  higher  arrival  rates.  Figure  5.16  shows  the  laten¬ 
cies,  throughputs  and  CPU  utilizations  for  an  unmodified  client  message  trace  (ALL)  with  an 
average  message  arrival  rate  of  250  messages/s,  for  the  following  cases:  (1)  without  any  channel 
establishment  mechanisms,  (2)  without  channel  establishment  mechanisms  but  with  message 
piggybacking,  (3)  with  ADP  channel  establishment  but  without  message  piggybacking,  and  (4) 
with  ADP  channel  establishment  and  with  message  piggybacking.  The  difference  in  perfor¬ 
mance  between  cases  1  and  2  is  considerable.  The  performance  of  case  4  is  very  close  to  that  of 
case  2,  whereas  the  performance  of  case  3  is  less  than  that  of  case  1.  This  shows  that  message 
piggybacking  can  keep  the  performance  cost  of  channel  establishment  very  small. 

The  results  of  our  experiments  therefore  show  that  the  performance  gains  of  ADP,  due 
both  to  the  reduction  in  the  total  overhead  of  channel  establishment  and  to  the  advantages  of 
piggybacking,  are  indeed  substantial. 

5.9.  Conclusion 

Trust  requirements  can  be  traded  for  performance  of  channel  establishment  protocols.  If 
channel  composition  is  PKE-based,  slightly  increasing  the  trust  requirements  allows  agent-to- 
agent  channels  to  be  built  on  top  of  host-to-host  channels.  This  host-to-host  approach  to  chan¬ 
nel  establishment  can  greatly  increase  the  performance  of  agent-to-agent  secure  communica¬ 
tion.  The  accompanying  increase  in  trust  requirements  is  still  satisfied  in  the  distributed 
system’s  name  space.  However,  if  channel  composition  is  SKE-based,  this  approach  requires 
global  trusts  which  may  not  be  satisfied  in  the  system’s  name  space.  Protocols  for  establishing 
host-to-host  channels  can  be  handled  at  the  subtransport  level  of  a  network  protocol  hierarchy. 
Experimental  measurement  of  a  prototype  of  a  host-to-host  channel  establishment  protocol 
confirms  its  expected  performance  advantages. 
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Figure  5.15:  Effect  of  piggybacking  on  latency  with  increasing  message  arrival  rates  (ALL 
and  TCP  traces;  piggybacking  is  denoted  by  Q  =on) 
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Figure  5.16:  Table  and  Histogram  showing  performance  effects  of  piggybacking  (ALL  trace) 


CHAPTER  6 


CONCLUDING  REMARKS 


6.1.  Conclusion 

We  have  developed  an  axiomatic  theory  of  trust  in  distributed  systems.  Our  theory  of 
trust  is  based  on  modal  logics  of  belief.  Any  well  formed  formula  assumed  to  be  valid  in  addi¬ 
tion  to  the  axioms  of  the  logic  is  considered  as  a  trust  specification.  This  gives  a  lot  of  power 
and  generality  in  expressing  trust  relationships.  We  have  presented  systematic  methods  for  syn¬ 
thesizing  protocols  that  are  necessary  and  sufficient  for  implementing  a  given  trust  specification 
in  a  distributed  system. 

Trust  arises  primarily  in  establishing  channels  for  secure  communication.  The  only  way 
to  establish  a  new  channel  is  by  composing  a  sequence  of  existing  adjacent  channels.  There  are 
two  kinds  of  channels:  independent  channels,  which  are  provided  at  system  configuration  and 
do  not  have  any  trust  requirements,  and  dependent  channels,  which  are  composed  from  indepen¬ 
dent  channels  and  have  trust  requirements.  Channel  composition  mechanisms  are  commonly 
based  on  either  public  key  encryption  (PKE)  or  single  key  encryption  (SKE).  PKE-based  chan¬ 
nel  composition  requires  ternary  trust  relationships  known  as  authenticity  trusts.  SKE-based 
channel  composition  has  much  larger  trust  requirements  than  PKE-based  channel  composition. 
The  differences  in  the  trust  requirements  of  PKE  and  SKE-based  channel  compositions  translate 
into  several  advantages  of  PKE-based  over  SKE-based  channel  composition  with  regard  to 
replication,  caching,  permanence  of  trust  requirements,  and  so  on.  Within  each  channel  compo¬ 
sition  mechanism,  the  trust  requirements  are  not  symmetric  with  regard  to  the  agents  involved 
in  the  mechanism.  Our  analyses  provide  insight  into  the  basic  structure  and  limitations  of 
mechanisms  with  regard  to  their  trust  requirements. 

In  a  distributed  system,  it  is  desirable  to  have  a  tree  of  independent  channels.  It  is  con¬ 
venient  for  the  tree  of  independent  channels  to  represent  also  the  global  name  space  of  the  sys¬ 
tem.  There  are  two  channel  composition  orders,  namely,  iterative  and  recursive .  Iterative  and 
recursive  channel  composition  orders  require  different  trusts  and  exhibit  interesting  duality  pro¬ 
perties.  As  one  of  the  most  important  applications  of  a  formal  theory  of  trust,  we  have 
developed  polynomial-time  algorithms  for  synthesizing  name  spaces  so  that,  given  a  channel 
composition  order,  and  the  trust  relationships  among  agents,  PKE-based  channel  composition 
between  any  two  agents  requires  only  a  subset  of  the  given  set  of  trust  relationships.  The  trust 
specifications  are  in  general  functions  of  three  agents,  but  can  also  be  functions  of  two  agents, 
in  which  case  the  algorithms  become  simpler.  Each  node  in  a  name  space  has  to  store  the  data¬ 
base  of  the  public  keys  of  its  children,  and  it  is  desirable  to  put  upper  and  lower  bounds  on  the 
size  of  this  database.  However,  the  problems  of  putting  upper  or  lower  bounds  on  the  number 
of  children  of  each  node  in  a  name  space  are  NP-compIetc. 

The  polynomial-time  name  space  synthesis  algorithms  have  been  implemented  and  exper¬ 
imented  with.  Sample  runs  of  these  algorithms  show  that  small  differences  in  trust  relationships 
can  cause  substantial  differences  in  name  spaces,  thus  demonstrating  the  practical  usefulness  of 
these  algorithms. 
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No  synthesis  is  complete  without  performance  considerations.  Trust  requirements  and 
performance  of  channel  establishment  mechanisms  can  be  traded  for  each  other.  If  the  channel 
composition  is  PKE-based,  slightly  increasing  the  trust  requirements  allows  agent-to-agent 
channels  to  be  built  on  top  of  host-to-host  channels.  This  host-to-host  approach  can  greatly 
increase  the  performance  of  agent-to-agent  secure  communication.  The  accompanying  increase 
in  trust  requirements  is  still  satisfied  in  the  distributed  system  name  space.  However,  if  channel 
composition  is  SKE-based,  this  approach  requires  global  trusts,  which  may  not  be  satisfied  in 
the  system’s  name  space.  Protocols  for  establishing  host-to-host  channels  can  be  handled  typi¬ 
cally  in  the  top  portion  of  the  network  layer  or  in  a  special  subtransport  layer  of  a  network  pro¬ 
tocol  hierarchy.  The  experimental  measurement  of  a  prototype  of  a  host-to-host  channel  estab¬ 
lishment  protocol  confirms  its  expected  performance  advantages. 

62.  Future  Work 

In  Chapter  2,  we  showed  that  the  implementation  of  trust  specifications  requires  con¬ 
straints  on  message  transactions  among  agents.  Many  of  these  constraints  are  of  the  form: 
send/receive  a  particular  message  before/after  sending/receiving  some  other  message.  A  more 
general  approach  to  representing  such  constraints  would  involve  temporal  reasoning.  We  pro¬ 
pose  to  investigate  the  possibility  of  combining  temporal  reasoning  with  modal  logic  for  this 
purpose. 

The  trust  relationships  considered  in  Chapter  3  were  functions  of  at  most  three  agents. 
Trusts  can  also  involve  more  than  three  agents.  Figure  6.1  shows  a  scenario  in  which  a  trust 
involves  four  agents.  Suppose  it  is  known  that,  when  IBM  queries  IBM-J  for  the  key  of 
ibaraki,  IBM-J  either  returns  the  correct  key  of  ibaraki  or  collaborates  with  jap  to  return 
jap ’s  key.  When  IBM-J  returns  a  key  key  \ in  answer  to  IBM ’s  query  for  ibaraki ’s  key,  IBM 
obtains  jap ’s  key  key2  through  an  independent  path,  namely,  IBM -USA  -  /  -jap.  IBM  then 
compares  key  i  and  key2,  and  accepts  key  j  as  ibaraki ’s  key  only  if  the  two  keys  are  not  identi¬ 
cal.  Here  a  trust  relationship  involving  IBM,  IBM-J,  ibaraki  mi  jap  is  necessary.  We  pro¬ 
pose  to  study  the  formalization  of  such  complex  trust  relationships  that  may  involve  more  than 
three  agents. 

In  Chapter  4,  we  developed  algorithms  for  synthesizing  global  name  spaces  from  trust 
specifications.  Additional  considerations,  such  as  fault  tolerance,  may  be  used  in  these  syn¬ 
thesis  algorithms.  In  a  fault-tolerant  name  space,  some  minimum  number  of  trust  relationships 
must  become  false  before  the  name  space  becomes  disconnected.  Redundancies  in  trusts  will 
have  to  be  used  in  constructing  such  fault-tolerant  name  spaces.  Another  desirable  feature  of 
name  spaces  is  the  localization  of  dynamic  reconfiguration  when  trust  relationships  change. 

In  Chapter  5,  we  outlined  the  trust  requirements  involving  user  processes  and  their  local 
hosts.  An  interesting  extension  would  be  to  study  trust  relationships  involving  user  processes 
and  remote  hosts,  such  as  those  involving  a  client  and  a  server’s  kernel,  or  a  server  and  a 
client’s  kernel. 
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APPENDIX  A 


Trust  Specifications  for  Name  Space  Design  Example  of  Section  4.9 


The  sample  set  of  trust  specifications  used  in  the  example  of  Section  9  of  Chapter  4  are  as 
follows.  For  brevity,  only  those  trust  relationships  that  are  assumed  to  be  true,  are  enumerated. 


T (IBM -J,  IBM,  ARC)  =  true 

T  (Jap,  IBM,  ARC)  =true 

T  (Sony ,  IBM ,  ARC )  =  true 

T  (Sony -USA,  IBM,  ARC)  =  true 

T (IBM -J,  ARC ,  IBM)  =  true 

T (Jap,  ARC,  IBM)  =  true 

T  ( Sony ,  ARC ,  IBM )  =  true 

T  (Sony -USA,  ARC,  IBM)  =  true 

T (ARC,  IBM,  IBM -J)  =  true 

T  (Jap,  IBM,  IBM-J)  =  true 

T  (Sony ,  IBM ,  IBM -J)  =  true 

T (Sony  -USA ,  IBM ,  IBM  -J)  =  true 

7  (ARC ,  IBM-J ,  IBM  )  =  true 

T  (Jap,  IBM-J,  IBM)  =  true 

T {Sony ,  IBM -J ,  IBM)  =  true 

T  (Sony  -USA ,  IBM  -J ,  IBM)  =  true 

T  (IBM-J,  ARC ,  Sony -USA)  =true 

T  (IBM,  ARC ,  Sony -USA)  =  true 

T  (Jap ,  ARC ,  Sony -USA)  =  true 

T(Sony ,  ARC ,  Sony  -USA )  =  true 

T  (ARC,  IBM-J,  Jap)  =true 

T (IBM,  IBM-J,  Jap)  =  true 

T (Sony ,  IBM-J ,  Jap)  =  true 

T  (Sony  -USA  ,  IBM  —J ,  Jap )  -  true 

T  (ARC ,  IBM  -J ,  Sony )  -  true 

T (IBM,  IBM -J ,  Sony)  =true 

T  (Jap ,  IBM  -J ,  Sony )  =  true 

T  (Sony  -USA,  IBM  -J ,  Sony )  =  true 

T (ARC,  Sony -US A,  Jap)  =  true 

T  (IBM  -J ,  Sony  -USA ,  Jap )  =  true 

T  (IBM ,  Sony  -USA,  Jap)  =  true 

T  (Sony ,  Sony  -USA ,  Jap )  =  true 

T  (ARC ,  Sony  -USA ,  IBM-J )  =  true 

T  (IBM ,  Sony  -USA  ,  IBM  -J )  =  true 

T  (Jap ,  Sony  -USA,  IBM-J)  =  true 

T  (Sony ,  Sony -USA ,  IBM-J)  =  true 

T  (ARC,  Sony  -USA,  Sony)  =  true 

T  (IBM  -J ,  Sony  -USA  ,  Sony )  =  true 

T  (IBM ,  Sony  -USA ,  Sony )  =  true 

T  (Jap ,  Sony  -USA  ,  Sony )  =  true 
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